Making life more difficult for the hackers
WIRED:LAST FRIDAY, the journalist Mat Honan was hacked – “hacked”, as he says, “hard”.
Honan used to work for Gizmodo, a tech blog that has its fair share of detractors, and personally attracts a fair level of attention for his writing; but in fact he was targeted because the hacker wanted to get to his three-letter Twitter handle, mat.
In the process Honan had his Twitter, Gmail, and Apple accounts taken over by his attackers.
The hackers posted obscenities on the Twitter feed, searched his Gmail account to obtain other passwords and details about his life and most drastically, used the Apple login to trigger remote wipes of his iPad, MacBook and iPhone.
“Remote wipe” is Apple’s new iCloud feature which allows users to ask Apple to destroy all the data on equipment that has been reported lost or stolen. It’s an operation you can start automatically – if you have the right password.
All of this happened within minutes of obtaining the first password; Honan had the movie thriller-like moment of watching his phone and other equipment shut down and start deleting the only copies of his personal data.
He backed up his data, but only to Apple’s iCloud service itself, which says it can only recover his data using forensics on his hard drive.
Just like any other cloud service, every copy of his data was accessible over the internet. He didn’t have an offline backup – a store of data that you only connect to your computer briefly, and then keep separate from any networks.
According to discussions with the attackers themselves (who got in touch with Mat and told him how they did it, in return for his promise not to pursue charges), it looks like it wasn’t high-tech techniques that let them break into Honan’s Apple account.
Honan’s password wasn’t easily guessed, either. Instead, the attack used the oldest trick in the book.
Among computer security types, it’s called “social engineering”, but the less fancy name for it is “conning a human being”.
Honan’s attacker simply called up both Amazon and Apple tech support, pretended to be him, and then skilfully evaded the normal security checks that usually prevent such masquerades.
Apple’s phone support agreed to reset the password, effectively handing over the account to the caller.
Social engineering remains one of the the weakest spots in any computing system that isn’t entirely automated – which is to say, all of them.
It’s amazing to me that even relatively cautious institutions such as banks seem to build online systems that are painfully vulnerable.