Business  
/
 
Sectors  
/
 
Technology

Making life more difficult for the hackers

Thu, Aug 9, 2012, 01:00

First published: Thu, Aug 9, 2012, 01:00

   

WIRED:LAST FRIDAY, the journalist Mat Honan was hacked – “hacked”, as he says, “hard”.

Honan used to work for Gizmodo, a tech blog that has its fair share of detractors, and personally attracts a fair level of attention for his writing; but in fact he was targeted because the hacker wanted to get to his three-letter Twitter handle, mat.

In the process Honan had his Twitter, Gmail, and Apple accounts taken over by his attackers.

The hackers posted obscenities on the Twitter feed, searched his Gmail account to obtain other passwords and details about his life and most drastically, used the Apple login to trigger remote wipes of his iPad, MacBook and iPhone.

“Remote wipe” is Apple’s new iCloud feature which allows users to ask Apple to destroy all the data on equipment that has been reported lost or stolen. It’s an operation you can start automatically – if you have the right password.

All of this happened within minutes of obtaining the first password; Honan had the movie thriller-like moment of watching his phone and other equipment shut down and start deleting the only copies of his personal data.

He backed up his data, but only to Apple’s iCloud service itself, which says it can only recover his data using forensics on his hard drive.

Just like any other cloud service, every copy of his data was accessible over the internet. He didn’t have an offline backup – a store of data that you only connect to your computer briefly, and then keep separate from any networks.

According to discussions with the attackers themselves (who got in touch with Mat and told him how they did it, in return for his promise not to pursue charges), it looks like it wasn’t high-tech techniques that let them break into Honan’s Apple account.

Honan’s password wasn’t easily guessed, either. Instead, the attack used the oldest trick in the book.

Among computer security types, it’s called “social engineering”, but the less fancy name for it is “conning a human being”.

Honan’s attacker simply called up both Amazon and Apple tech support, pretended to be him, and then skilfully evaded the normal security checks that usually prevent such masquerades.

Apple’s phone support agreed to reset the password, effectively handing over the account to the caller.

Social engineering remains one of the the weakest spots in any computing system that isn’t entirely automated – which is to say, all of them.

It’s amazing to me that even relatively cautious institutions such as banks seem to build online systems that are painfully vulnerable.

Thu, Feb 7, 2013, 04:33

First published: Thu, Aug 9, 2012, 01:00

   

Popular in Business

Pensions reform put on hold by Government as costs escalate
Scrutiny of Ireland begins to bite in Apple tax inquiry
Shake-up at St Stephen’s Green centre
Troubled Dundrum apartments make €7m
Government denies facilitating Apple tax avoidance

Technology

Apple chief executive Tim Cook arrives to testify at a Senate subcommittee hearing on offshore profit shifting on Capitol Hill in Washington yesterday. Photograph: Jason Reed/Reuters Ireland labelled a ‘tax haven’ as US Senate investigates Apple’s offshore strategies
Apple chief executive Tim Cook: told of his company’s relationship with Irish governments. Photograph: Jason Reed/Reuters Apple defends routing profits through Irish companies
Tánaiste Eamon Gilmore: “Ireland does not negotiate special tax-rate deals with any company.” Photograph: Alan Betson Gilmore denies special tax deal agreed with Apple