Attacks/Breaches
8/10/2012
02:24 PM
50%
50%

Apple, Amazon Security Fails: Time For Change

What will it take for cloud service providers to overhaul their customer identification mechanisms and finally get serious about social engineering attack vectors?

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Honan is hardly the first tech-savvy person to make these types of mistakes. Accused LulzSec and Anonymous participant Donncha O'Cearrbhail claimed to have compromised the AppleID of Ireland's top cybercrime investigator. Because the cop was also forwarding his work emails to a Gmail account that he'd set his iPhone to check, O'Cearrbhail was able to eavesdrop on a conference call between the FBI and overseas law enforcement agencies.

Unfortunately, when it comes to securing people's increasingly connected online lifestyles, there aren't any easy answers. "People want to leverage technology to make their lives easier, so they link all of these accounts together, and by doing so, they put themselves at risk," says Space Rogue. "Is it the fault of the technology companies for allowing people to do this, or people's fault? This is something that society is going to have to deal with as we move forward."

Thankfully, Honan's cautionary tale--and excellent analysis of how his life was hacked, made possible by Phobia telling all, in return for a guarantee that Honan wouldn't prosecute him--has now put this question front and center.

But should you suffer a similar fate, don't expect the white-gloves treatment afforded Honan, which has included Apple working to restore the files that were remotely deleted from his hard drive. "The victim here is a popular technology journalist, so he got a level of tech support that's not available to most of us," said Bruce Schneier, chief security technology officer of BT, in a blog post. "I believe this will increasingly become a problem, and that cloud providers will need better and more automated solutions."

What might these improved security solutions look like? As noted, Apple and Amazon can start by at least offering two-factor authentication. Given that both companies earn big bucks from running smartphone app stores and have those distribution channels, creating a two-factor smartphone app would be a natural next step. Or they could just use Google's smartphone app.

Meanwhile, for people who want to call customer service to reset a password, but who--like Phobia when he contacted Apple--lacked the answers to security questions already on file, make them jump through hoops. For example, after allowing a user to request a password reset by phone, why not "make the person call back the next day," says Tumblr co-founder Marco Arment. "If you forget your password and the answers to your security questions, it's not unreasonable to expect a bit of inconvenience." Especially if you don't want to see your digital life compromised by a social-engineering-savvy attacker.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
9/5/2012 | 12:46:36 AM
re: Apple, Amazon Security Fails: Time For Change
Whenever I read one of these cautionary tales, I wonder how long it will be before organisations realise that passwords, PIN codes, biometrics and eyeball scans are not the answer. As Andrew rightly says, if it's difficult, people won't use it. I personally, have a directory on my machine containing about 80 files, with the username and password for every online connection I make - and I'm in the security business.
Security hole? Definitely. Avoidable? Definitely.
How much easier it would be, if all I had to remember was just one key word, of arbitrary length and, when I had to login to something, I was presented with an alphabet, and a string of corresponding random zero's and one's. All I'd have to do, is enter the numbers matching my word, and nobody, unless they read my mind, would know what my word was. If they tried copying what I'd typed, it wouldn't match the second set of random numbers. A nine-year old could do use it.
Oh, yes. When I entered my key word for the first time, or decided to change it, perhaps I could be presented with a random array of jpeg's of letters, which I could drag and drop into a field, so that malware didn't know what my new word was. That would be easier than typing, and a nine-year old could manage that, too. Perhaps there already is such an authentication system and, perhaps, a couple of banks, cloud providers and law-enforcement agencies are already implementing it. Perhaps it's described in a document at www.designsim.com.au/What_is_S....
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/17/2012 | 9:59:56 AM
re: Apple, Amazon Security Fails: Time For Change
Great comment, Anon. Reminds me of Norman Mailer's "Harlot's Ghost," in which one of the characters is trained in spycraft techniques which (if memory serves) involve applying arbitrary colors and object names to help memorize important words or concepts.
But the problem word in that statement is training--teaching yourself how to do this, then remembering what your system is.
So here's a suggestion: For those of us not so well-versed in such systems (myself included), use password safe software that works across PC/Mac, tablets, and smartphones. If you're using such software to keep track of unique passwords for every website you use--which you should be doing anyway--there's ample room to also track just which unique "mother's maiden name" you've used for any given website.
-- Mathew Schwartz
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
8/16/2012 | 5:15:34 PM
re: Apple, Amazon Security Fails: Time For Change
No security question need be a problem because YOU DON'T HAVE TO GIVE THE RIGHT ANSWER!!! This info does not get verified. You are asked for a fact about yourself to minimize the risk of your forgetting the answer to the security question.

I began my "lying" strategy when banks would ask for my mother's maiden name so that they could verify my identity if I later needed to bank by phone. This was years before the internet.

When asked for my mother's maiden name I give a syllable from the middle that's a very obscure but charming word. No one else would think of it, but I now remember it right alongside her actual name.

The trick is to develop one fake answer for each of the researchable standard questions as it comes up. Once you've got it, always give that answer for that question. Make your fake answer relate to the question with an association that's strong for you. That way it'll be just as easy for you to remember as the correct answer.

For example, would-be predators can look up your city of birth but they can't guess or research if you give another city instead. I give the city and state where my parents lived at that time and where I lived for the first seven months of my life.

If asked for my grandmother's first name, I give the name of her favorite sister, first and married names. If asked for my high school, I give one of the school's cross streets. Etc., etc.

This strategy works very well even for technophobes; each of us has associations that will support our recall of well-crafted bogus answers. Get a small library and you're set. So coach your friends!
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/14/2012 | 2:14:12 AM
re: Apple, Amazon Security Fails: Time For Change
Every time you make things "difficult" for a user to use, the more likely they're not to use it.

But, when you have the simplicity of "Oh look, one click and my entire life gets backed up on the cloud and I never have to worry about it"... that sells people on your solution.

What needs to happen is the ability for users to determine how many levels of security that they want for their accounts. Give a user the option of adding things like call back verification, two factor authentication, etc, etc. instead of applying a "one size fits all" solution across the board. Grandma storing her chicken cacciatore recipes on the cloud doesn't necessarily have the same security level requirements of someone doing on-line bill paying.

Andrew Hornback
InformationWeek Contributor
ANON1243950556912
50%
50%
ANON1243950556912,
User Rank: Apprentice
8/13/2012 | 6:43:59 PM
re: Apple, Amazon Security Fails: Time For Change
My bank allowed me to sign up for online banking with my account number (available to anyone to whom I ever sent a check, or anyone whose check I cashed) and the last four digits of my phone number. Gee, I wonder how you could find out what someone's phone number is.

Typical security questions: "What is your grandfather's first name?" "What was the name of your high school?" and the ever-popular "Mother's maiden name."

But some halfway decent ones: Name of your first pet, favorite movie.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.