×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wired Writer Hack Shows Need For Tighter Cloud Security

timothy posted about a year and a half ago | from the internet-I-think-they-mean dept.

Cloud 132

Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target." Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

132 comments

So much for ... (5, Insightful)

PPH (736903) | about a year and a half ago | (#40905527)

... single log on across the 'Net.

Re:So much for ... (1)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#40905545)

Apparently, the 'single sign-on' of the future will be practically any trivially available biographical information...

Re:So much for ... (-1)

Anonymous Coward | about a year and a half ago | (#40905797)

He shouldn't have been using Firefox [trollaxor.com] either.

Re:So much for ... (0)

Anonymous Coward | about a year and a half ago | (#40905981)

He shouldn't have been using Firefox [trollaxor.com] either.

Oh yeah, that site is a quality source of information...... haha

Re:So much for ... (-1)

Anonymous Coward | about a year and a half ago | (#40906147)

When you disparage Trollaxor you disparage us all. He more or less built this site....

Re:So much for ... (2)

Hatta (162192) | about a year and a half ago | (#40906051)

Single sign on vs multiple sign on is irrelevant when the attacker gets control of your main PC where all your credentials are.

Re:So much for ... (3, Interesting)

sexconker (1179573) | about a year and a half ago | (#40906427)

Single sign on vs multiple sign on is irrelevant when the attacker gets control of your main PC where all your credentials are.

No one got control over his PC in this case.
And why would anyone store credentials on their PC?

Re:So much for ... (1)

Anonymous Coward | about a year and a half ago | (#40906565)

I've known full tier 3 system admins (aka: Sr Sys Admins) store plain text passwords on their desktop in txt files labled "god_servername.txt".

There is also a huge amount of admins that keep password safe like programs on their local machines instead of in a "safe" location.

Re:So much for ... (1)

Anonymous Coward | about a year and a half ago | (#40906797)

Storing plaintext passwords in a text or KeePass database can be decently secure... provided they are stored on something with reliable security.

I personally like a TC volume on an IronKey [1]. This provides two layers, and in addition, some anti-brute force capability since the IronKey will zap itself after ten failed attempts.

[1]: They are now sold by Imation. I hope the new models keep the security features of the old ones before the changeover.

Re:So much for ... (1)

Hatta (162192) | about a year and a half ago | (#40906585)

Oh, I figured they used his Apple ID to log into his Macbook, where they could harvest the rest of his credentials. But instead, he gave all his log in info to Apple who gave it to the attacker. Duh.

Something like SSH agent would have easily prevented this attack.

Re:So much for ... (1)

macshome (818789) | about a year and a half ago | (#40907099)

How would SSH agent help here? They used social engineering at Amazon to get common account info, then further used social engineering to get the password reset on his Apple ID.

Once they had his Apple ID they logged into the iCloud service and issued remote wipes on all his devices that he had activated the wipe option on. Since he used the same credentials everywhere they were able to get into Twitter and Google as well.

As for loosing all his data, he should have had a backup. Apple makes this super easy on iOS using iCloud and on OS X using Time Machine.

Re:So much for ... (2)

Hatta (162192) | about a year and a half ago | (#40907303)

How would SSH agent help here?

People use the same credentials on multiple web sites for convenience. Something like SSH agent could provide the same convenience, while allowing people to have different keys for different systems AND keeping all those keys in one secure place.

Re:So much for ... (1)

macshome (818789) | about a year and a half ago | (#40907563)

Sure, for things that can use ssh keys it works great. This is how I connect to various git servers.

But in the case of this hack the services that were compromised were Amazon, Gmail, and iCloud web pages. All things that authenticate with user/password and not SSH keys.

Re:So much for ... (1)

Hatta (162192) | about a year and a half ago | (#40907621)

That's why I say "something like SSH agent". There's no technical reason we can't have a web based authentication mechanism that works the same way SSH agent does. Getting such a standard widely implemented would be the hard part.

Re:So much for ... (4, Interesting)

tchuladdiass (174342) | about a year and a half ago | (#40908359)

For those that don't know how ssh-agent works:
You have two parts to your key, one part encrypts only (public key) and the other part decrypts only (private key). The remote server sends a random message encrypted with the public key; that message is sent to the ssh-agent program, which decrypts the message with your private key which it has in memory. This decrypted message is sent back to the remote server -- if it matches what it randomly generated, it know that your are in possession of the private half of the key and lets you in. The secure part is that your private key is never sent over the wire, and never leaves the memory of the ssh-agent program (unlike a regular password).

Now one thing I've done in the past to make this more secure (when I carried a Nokia N900 linux-based phone) is I ran the agent on my phone only, and forwarded the connection to my PC via Bluetooth. I had it set up so that it would auto pair with PCs that I trusted (and play a particular sound on the pone during pairing and key usage), and require an accept button on the phone for other machines. I've been meaning to pick up Android programming so that I could port this over to my current phone. Oh, and when the agent program gets started on the phone, it requires a symmetric decryption key (protects it if the phone is stolen). Probably security overkill, but in my case I used it more for convenience than anything else.

Re:So much for ... (0)

Anonymous Coward | about a year and a half ago | (#40907575)

So, anyone with the last four digits of your credit card number (printed on every receipt you get from every retail establishment) can remotely wipe your MacBook.

That's quite the value-added feature, there!

Why enable remote-wipe on a device you don't back up? Or is this one of those things where you can't really disable it?

Re:So much for ... (2, Insightful)

icebike (68054) | about a year and a half ago | (#40907133)

Exactly.

As anyone who has been following this story from the beginning knows no real hacking took place, no encryption was broken, no keys
were stolen. The man used the same password for all his logins, and the "hacker" simply talked Apple support into handing over
access to his account, and once one password was known, the hacker could log in everywhere.

What amazes me is how many people posted on the original thread here on slashdot their utter disbelief about how this happened, apparently astounded that Apple would do such a thing. Yet Social Engineering is one of the primary methods of spectacular security breaches.

Still one has to ask, why this guy was chosen as a target. I suspect the attacker had just that little piece of inside knowledge that gave him just enough to nudge the Apple tech over the brink.

Re:So much for ... (1)

sexconker (1179573) | about a year and a half ago | (#40907561)

Exactly.

As anyone who has been following this story from the beginning knows no real hacking took place, no encryption was broken, no keys
were stolen. The man used the same password for all his logins, and the "hacker" simply talked Apple support into handing over
access to his account, and once one password was known, the hacker could log in everywhere.

What amazes me is how many people posted on the original thread here on slashdot their utter disbelief about how this happened, apparently astounded that Apple would do such a thing. Yet Social Engineering is one of the primary methods of spectacular security breaches.

Still one has to ask, why this guy was chosen as a target. I suspect the attacker had just that little piece of inside knowledge that gave him just enough to nudge the Apple tech over the brink.

He was chosen as a target because he had a 3-character twitter account name that the attacker wanted.

Apple (5, Interesting)

busyqth (2566075) | about a year and a half ago | (#40906053)

It was Apple that coughed up his credentials to the attackers. If Apple hadn't done that, there wouldn't be a problem.
There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.

Re:Apple (3, Interesting)

Dragonslicer (991472) | about a year and a half ago | (#40906493)

There are some Apple employees that ought to lose their job over this...

It shouldn't be the support person that answered the phone, though. Apparently they followed Apple's procedure of requiring only a billing address and the last four digits of a credit card number to gain access to the account.

Re:Apple (2)

rmstar (114746) | about a year and a half ago | (#40906723)

Apparently they followed Apple's procedure of requiring only a billing address and the last four digits of a credit card number to gain access to the account.

It happens to make sense. It is so much more likely that such a call comes from a genuine customer in distress than from a hacker that, from a risk management point of view, that procedure is much better than telling a genuine customer "you should have been more careful, now you are hosed". Welcome to the real world.

Perhaps they should require a different subset of digits from the credit card number. The last four is a rather weak choice.

Re:Apple (2)

sFurbo (1361249) | about a year and a half ago | (#40906897)

The first eight are not random*, so if the last four is out, only number 9-12 are left.

*In fact, for any one type of card from any one Danish bank, the first 8 are identical.

Re:Apple (4, Insightful)

Anonymous Coward | about a year and a half ago | (#40907285)

What procedure would you suggest to tell the genuine customer that they just gave away your account and all your information you thought was properly backed up is now deleted?

Re:Apple (1)

icebike (68054) | about a year and a half ago | (#40907333)

Customer in distress?
Forgot their mother's name?

Come on! If you are that distressed, why do you need access to your apple account? Call 911, not Apple.

Re:Apple (0)

Anonymous Coward | about a year and a half ago | (#40907679)

a genuine customer in distress

Haha! I see you have a copy of the Social Engineering Hacking Character List too.
Good old #17, Customer In Distress. One of my faves.

Re:Apple (1)

tompaulco (629533) | about a year and a half ago | (#40908053)

Perhaps they should require a different subset of digits from the credit card number. The last four is a rather weak choice.
Better than the first four.

Re:Apple (3, Insightful)

icebike (68054) | about a year and a half ago | (#40907299)

Wait, why would any credit card digits and an address be sufficient?
You hand that over every time you buy something.

Why would apple bypass their own security questions and open the account to someone who can't remember any of those?
Seriously who forgets their Mother's maiden name or their first pets name?

Re:Apple (1)

Dragonslicer (991472) | about a year and a half ago | (#40907597)

I didn't say it was a good policy. In fact, I'm completely in favor of firing the people that came up with it. If the support person confirmed all of the information that Apple's policy requires, then the fault should go to the people that set the policy, not the support person that followed it.

Re:Apple (1)

dbitter1 (411864) | about a year and a half ago | (#40908087)

Seriously who forgets their Mother's maiden name or their first pets name?

Any idiot that actually replaces a high-security password with a low security, common knowledge item like MMN I hope to $diety never works as any type of admin in IT. I would assume anyone that thinks about it names their pets with a high-security name (like MD0km2!#nm1, or correct-horse-battery-staple if you prefer that style).

But first.. (5, Insightful)

js3 (319268) | about a year and a half ago | (#40905537)

we need a tighter way to detect reposts

Re:But first.. (1)

Anonymous Coward | about a year and a half ago | (#40905839)

What? The previous article was about Gizmodo editor Matt Honans. This is about Wired writer Mat Honan. Obviously two completely different people.

Re:But first.. (2)

paiute (550198) | about a year and a half ago | (#40906239)

What? The previous article was about Gizmodo editor Matt Honans. This is about Wired writer Mat Honan. Obviously two completely different people.

He's not fooling anyone.

Re:But first.. (0)

Anonymous Coward | about a year and a half ago | (#40906779)

But first some commenters need a better way to detect two different people.

is there a way to turn it on without a phone #? (2, Informative)

Trepidity (597) | about a year and a half ago | (#40905557)

When I try to turn on two-factor authentication at Google, it gives me a screen that asks me for a phone number, and doesn't seem to have a way to bypass this. I'd rather not give them my phone number.

Their help pages say that you don't have to use SMS-based authentication. Apparently there is a setting, once two-factor authentication is enabled, to switch from receiving the codes via SMS, and instead either write down a batch of 10 "backup codes" at a time, or else install the Google Authenticator app, initialize it with a key, and then use it to generate tie-synchronized codes thereafter. Either of these solutions is fine with me. But how do I enable them without having to give Google my phone number on the initial screen?

Re:is there a way to turn it on without a phone #? (0)

bobstreo (1320787) | about a year and a half ago | (#40905619)

Sign up for a google voice (or voip or something) account?

Maybe with a different password.

Re:is there a way to turn it on without a phone #? (2)

icebike (68054) | about a year and a half ago | (#40907467)

Sign up for a google voice (or voip or something) account?

Maybe with a different password.

Second point in the FAQ:
Why you shouldn’t use Google Voice to receive verification codes [google.com]

If you use Google Voice to receive verification codes, you can easily create a situation where you’ve locked yourself out of your account.

For example, if you are signed out of your Google Voice app, you might need a verification code to get back in. However, you won’t be able to receive this verification code because it will be sent to your Google Voice, which you can’t access.

Re:is there a way to turn it on without a phone #? (4, Insightful)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#40905621)

Well, for 20-ish dollars you can set yourself up with a burner prepaid phone and a very meagre SMS allotment...

Aside from that, though, I suspect that Team Google wants your convenient personal identifier for totally altruistic security reasons...

Re:is there a way to turn it on without a phone #? (0)

Anonymous Coward | about a year and a half ago | (#40905691)

yes you can turn it on without a phone, you need to set up a secondary email where you can receive the authentication. I'd suggest an email you dont use anywhere else so its off the scope.

Re:is there a way to turn it on without a phone #? (1)

travisco_nabisco (817002) | about a year and a half ago | (#40906543)

Be sure to turn on two-factor authentication on the second secondary email as well. Maybe you can use your main email as a place to receive the authentication code.

Re:is there a way to turn it on without a phone #? (1)

icebike (68054) | about a year and a half ago | (#40907551)

There is no reason to turn on two factor authentication for some secondary email, or even use a Gmail account for this.

You get non-descript messages with some digits in this email, and they are use-once codes. You can paste them on the bulletin board after you use them and nobody could use them again.

Once you get the Google Authentication app on your phone, you need never use this again.
Lose your phone? [google.com]

Re:is there a way to turn it on without a phone #? (1)

Terrasque (796014) | about a year and a half ago | (#40905713)

As far as I could tell, they don't verify the number. I had no problems setting it to a landline instead of my mobile phone.

When I last configured it I got the "10 burn codes" and an option for a phone number, where a robot would dial and read up some numbers.

So app on my phone, plus that piece of paper hidden away, plus a stable landline to someone I trust.

Re:is there a way to turn it on without a phone #? (4, Informative)

0100010001010011 (652467) | about a year and a half ago | (#40905975)

You have to have a phone to set it up. You can then disable the phone and re-enable it with:

> Mobile application
> Switch to an app to get codes even when you don't have cell coverage.

And then remove your phone #. So at minimum it's going to cost you a burner phone.

The awesome thing about Google Authenticator is that it's open source. You can download and compile a PAM package (and it's in the Debian repositories). http://code.google.com/p/google-authenticator/ [google.com] So anything that uses PAM can use google authenticator.

I have it setup on my outward facing SSH server so to get into my house's server you're going to need my password and one of my devices.

Re:is there a way to turn it on without a phone #? (-1)

Anonymous Coward | about a year and a half ago | (#40906069)

Stop your crying, delirium-slashdot@hackish.org

Re:is there a way to turn it on without a phone #? (4, Insightful)

dell623 (2021586) | about a year and a half ago | (#40906519)

You have something important enough (maybe email) on Google that you want 2-step authentication, and you're concerned about them having your phone number? What exactly are you afraid they can do with it? (I get the point of not wanting other information online)

Re:is there a way to turn it on without a phone #? (1)

oakgrove (845019) | about a year and a half ago | (#40906701)

This is precisely what I was wondering. If anything I want to establish more of a personal relationship with whichever cloud provider I throw my lot in with. On the off chance that Google abuses the personal contact information then you cut them off and blog to the heavens about it. I guarantee you the internet will eat it up and blog ads will more than pay for the pain and misery you suffered.

Re:is there a way to turn it on without a phone #? (2)

icebike (68054) | about a year and a half ago | (#40907401)

You don't have to give them YOUR phone number, nor does the phone have to be able to receive SMS.
Google will use a computer voice to read the digits to you. This number does not need to be your permanent number.

You just need ANY phone number that you can answer.
You will need it exactly twice.
Once to set things up on your computer.
Then again to get the Google Authentication app authorized. From then on you don't need to give them your phone number.

Pissants (1)

benjfowler (239527) | about a year and a half ago | (#40905617)

I'm sure there's people out there who are saying 'ooooh hacker skills', in that somebody managed to hack this guy's mail account (or snag his password). Bunch of amateur script kiddies who'd otherwise be huffing hair spray and smashing up bus shelters.

Re:Pissants (1)

The_Fire_Horse (552422) | about a year and a half ago | (#40905655)

Agree - it only takes a single fuckup for people to lose control of their data (whether running an application or phishing scam). Though it is a concern that everyone has these accounts linked.

Re:Pissants (2)

benjfowler (239527) | about a year and a half ago | (#40905711)

No, indeed, Gmail for a lot of people is the weakest link because it basically acts as the master key to one's online life.

That said, social engineering is a criminal skill, not a technical one. I've had a couple of friends who were quite serious crooks-- no prospects or skills, but got far by simply being able to blag things. In and out of jail their whole lives -- but then they were operating in the real world, where doing jail time comes with the territory. The Internet however is a free fire zone for scumbags, so the normal rules don't apply.

No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.

Re:Pissants (4, Informative)

GryMor (88799) | about a year and a half ago | (#40905861)

Unfortunately, in this case, at least on the Amazon side, it doesn't look like social engineering. It looks like a classic escalation attack in the same theme as the cuckoo egg: use weak credentials to deposit a payload that can then be used as strong credentials.

While social engineering is pernicious and relies on people violating policy in the name of being helpful or customer service (often without realizing they are doing it!), this is a straight up bug in the CS procedures.

Unfortunately, a similar bug in Apple's CS procedures allowed for further escalation.

Re:Pissants (1)

Lumpy (12016) | about a year and a half ago | (#40906229)

"That said, social engineering is a criminal skill, not a technical one."

I know a LOT of sales people and Lawyers that will seriously disagree with you.

Sales = Social engineering.
Lawyering = Social Engineering.

Re:Pissants (1)

icebike (68054) | about a year and a half ago | (#40907685)

"That said, social engineering is a criminal skill, not a technical one."

I know a LOT of sales people and Lawyers that will seriously disagree with you.

Sales = Social engineering.
Lawyering = Social Engineering.

You must be a politician, otherwise you would have had politicians at the top of your list.

Re:Pissants (4, Interesting)

RazorSharp (1418697) | about a year and a half ago | (#40907321)

No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.

You're being pedantic and glorifying the term 'hacker' way too much.

http://en.wikipedia.org/wiki/Kevin_mitnick [wikipedia.org] - this guy is usually referred to as a hacker, even though sweet talking minimum wage drones over the phone was his bread and butter. I get that you want to distinguish between the technologically adept and inept, using the terms 'hacker' and 'script kiddie' to do so, but the article is using the term 'hacker' in a legal sense; as in someone who commits crimes almost exclusively through the use of technology. My dad referred to himself as a hacker but he never committed a crime using his computer/phone. He just meant that he liked to hack out code.

Joe can be a man's name. Joe can be a cup of coffee. Joe can be a member of the armed services. Basically, you're arguing that your cup of coffee shouldn't be called Joe because that's your name.

the cloud would have made it more secure (1, Interesting)

alen (225700) | about a year and a half ago | (#40905647)

hackers grab his info from whois because he has a personal site from blogging
they use that to hack his amazon account
and then use the info from amazon to hack icloud

if he had just used wordpress or blogger or some other cloud service this hack would have been A LOT harder. it's 2012, no need to reinvent the wheel by setting up your own server for email, web site photo sharing or the 20 other things that da cloud has made easier and more secure. he just wanted to be uber tech cool and show off how he can run his own site and waste time managing it instead of letting someone else do it

Re:the cloud would have made it more secure (0)

Anonymous Coward | about a year and a half ago | (#40905699)

Uhh... NO. The only thing he did wrong was not springing for the "private whois" service. A few bucks there and none of this would have happened.

So remember, kids -- pay the five bucks (or whatever your hosting provider charges) and make that whois data PRIVATE!

Oh, and it was kinda dumb of him to use his mac email address as his Google recovery address. That's what let them wipe his Google account.

Also, BACKUPS, people, BACKUPS!

Re:the cloud would have made it more secure (2)

iluvcapra (782887) | about a year and a half ago | (#40906071)

Basically you're saying that no one should have an entry in the whois database because we can't have nice things.

The whois was just one way of doing this, I'm sure more than a few people's mailing address can be obtained from a google search (I know mine can, I've had to post too many PDF resumes.)

The problem is Apple and Amazon use knowledge of a mailing address as a credential, in the same way that many silly organizations use knowledge of the last four of your SSN.

Re:the cloud would have made it more secure (0)

Anonymous Coward | about a year and a half ago | (#40906185)

99.9% of cases of address and CC number are perfectly OK
amazon's policies are to prevent financial fraud, this was just a bug

but whois data is easy to get. you can get my address via a public records search but that involves time and going through a java application to access a database. whois data is a lot faster.

doing the little things like making your data hard to get and having amazon fix their account reset policy will solve a lot more hacking issues before doing crazy things like 2 factor authentication and using hard to remember information to authenticate yourself

that's the thing. he could have had a 20 character password and all kinds of crazy security but his macbook would have been wiped anyway because the "hacker" got his data from a publicly available website and used a bug in amazon's account reset policy

whois data used to be the first place spammers went to for email addresses to send spam to. having a website was a cool thing 20 years ago but it's like a horse buggy now.

crappy (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#40905675)

For being a technology site slash dot really has a shitty mobile interface

More security (0)

Anonymous Coward | about a year and a half ago | (#40905687)

What we need, good sirs is more security. We need three factor authentication with biometric neural iris chips. We need 35 alpha numeric with symbols and special character passwords and voice authentication.

Further more we need to make sure the information is encrypted, using an even more sophisticated method.

To combat the increasing risk of identity theft, hacking, global warming and obesity we have launched iSuperSecureCloud Protection Plus.

Trust us, THIS TIME IT'S SAFE!

Nothing ever changes in IT (2)

vlm (69642) | about a year and a half ago | (#40905771)

Nothing ever changes in the eternal wheel of IT.

You as a customer are never worth more than the cost of sales of replacing you.

So it has always been in all previous IT fads, so it shall forever be in all future IT fads.

Second post about this, really? (-1, Offtopic)

dehole (1577363) | about a year and a half ago | (#40905833)

I guess it's easier than making up a story that typical /. does, but still...

Non-authoritative authentication (5, Insightful)

mcelrath (8027) | about a year and a half ago | (#40905961)

Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.

Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).

Get KeePass [keepass.info] and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?

Re:Non-authoritative authentication (3, Interesting)

null etc. (524767) | about a year and a half ago | (#40906517)

Nothing annoys me more than "security" questions. First, so many sites share the "secret" answer that it's really not secret, is it? Second, I'd prefer to not make vulnerable even yet more personally identifying information. Third, I really dislike needing to remember the hundreds of variations of stupid personal trivia that comprise my "answer". "In what city did you first drive a car?" How the hell should I know, I barely remember my name anymore!

Re:Non-authoritative authentication (0)

Anonymous Coward | about a year and a half ago | (#40908121)

I kind of like the security question, especially when I answer them in a completely different way.
e.g.: Name of your wife: still single

Re:Non-authoritative authentication (0)

Anonymous Coward | about a year and a half ago | (#40908225)

I really don't remember where I first drove a car, I was only 14 and had to drive because one of my legal friends was too drunk (I didn't drink anything)... Of course, you can make up fun answers like Motor City...

Re:Non-authoritative authentication (1)

mcelrath (8027) | about a year and a half ago | (#40908417)

I first drove my car in YKXz93W4MSGVn93z. You know it, it's 120 miles south of KrnummZF82cB5XXn. At least with these kinds of text entry fields, they're not going to require me to use one letter, one number, 2 forms of punctuation (but not an ampersand or dash!) and put a max length limit on the stupid thing.

Re:Non-authoritative authentication (1)

Anonymous Coward | about a year and a half ago | (#40906537)

You forgot "What High School did you attend?"

(Short list of answers: Washington, Jefferson, Adams, Lincoln, Wasilla...)

Re:Non-authoritative authentication (0)

Anonymous Coward | about a year and a half ago | (#40906817)

Plus lots of folks have it on their Facebook info page. And even if they don't they may have their hometown and odds are the school name is the same as the hometown.

Re:Non-authoritative authentication (1)

Archangel Michael (180766) | about a year and a half ago | (#40907123)

Authentication is not the same as proof of identity. Authentication is not ID, nor is ID Authentication.

But how does one PROVE who they are? In order to PROVE you are who you are, you need a chain of trusted Identification.

1) Peter Knows Mary, Peter can ID Mary. But is Peter is not Trusted (yet)
2) Paul ALSO knows Mary. Paul can also ID Mary, and Paul is trusted.
3) Jane, Sue and Michael all know Mary. They all can ID Mary, but offer various levels of trust.

In each of these scenarios ID can be established provided if we have enough "trust" secured. 1) Not enough, 2) Maybe Enough, 3) Probably Enough.

    THIS is how authentication should work. It is NON trivial for computers and hackers to breach. It is harder than even two factor authentication. Stolen Phone and bam you have two factor authentication done. You cannot steal people (not easily) and you probably cannot steal enough people to make this work.

I rather doubt that any level of COMPUTER authentication is going to be secure in the long run.

Re:Non-authoritative authentication (1)

mcelrath (8027) | about a year and a half ago | (#40908001)

For 99% of internet applications, authentication is sufficient. Google, Apple, or any vendor doesn't need to know who I am, and they damn well don't need to link that info to my bank or tax records. It's none of their damn business. I don't want to identify myself.

All that is required is to identify that the person making the request is the same one that established the account. Pure authentication, no identification. We've all done ourselves a major disservice by muddling the two. Of course, Google and Facebook love it. Their profit model is based on selling identifying data.

So I very strongly disagree with your claim that authentication should work by using identification. ID isn't necessary. In fact we'd be a lot safer if the two were totally decoupled. Then one compromised account could not lead to escalating compromises (unless you're foolish enough to use the same authentication credentials in multiple places -- or have chosen to let your identification be your authentication).

Find My Mac / Fuckup My Mac (3, Funny)

djdavetrouble (442175) | about a year and a half ago | (#40905967)

Wow did even realize icloud had the ability to Remote wipe my computer.

Currently Turning OFF this feature !

Re:Find My Mac / Fuckup My Mac (4, Insightful)

Anonymous Coward | about a year and a half ago | (#40906225)

The attacker can just turn it on again.

Why insightful? (2, Insightful)

Anonymous Coward | about a year and a half ago | (#40907459)

The attacker can just turn it on again.

Why is this modded insightful? You can't "just turn on" remote wipe, er, remotely. You have to enable it on the machine first, and you need an administrator account to enable it on the machine.

no one will care for your data like you do (2)

Dan667 (564390) | about a year and a half ago | (#40906079)

if you put something valuable on mainframes at other companies (ie the new marketing buzzword "the cloud") then you are accepting the risk. Not worth it IMHO.

Re:no one will care for your data like you do (0)

Anonymous Coward | about a year and a half ago | (#40907809)

if you put something valuable on mainframes at other companies (ie the new marketing buzzword "the cloud") then you are accepting the risk. Not worth it IMHO.

That is an insult to mainframe tech.

Yet another post on this idiot? (3, Informative)

retech (1228598) | about a year and a half ago | (#40906093)

Seriously, why is everyone screaming security when it was not a hack but a social engineering entry? And why cry for an idiot who had NO personal backups of his own data? He's an idiot.

Re:Yet another post on this idiot? (1)

Krneki (1192201) | about a year and a half ago | (#40906285)

Yap and idiot. Having insecure passwords over multiple different services is moronic at best. The fact that he has no backup when using cloud services is priceless and I bet he didn't even encrypt the data before putting it on an unknown server. P.S: WTF is daisy-chained, saved passwords or same password across different accounts? Use your passwords wisely and never let the OS save them if they are for important services, yes it takes more typing to access the mail, but this is what you do to be secure.

Re:Yet another post on this idiot? (4, Interesting)

dell623 (2021586) | about a year and a half ago | (#40906583)

Because he's not the only idiot. You would be surprised how many tech savvy people have no backups and are equally vulnerable. Also it's something worth highlighting as it has shown critical flaws in bot Amazon and Apple's authentication systems. And it persuaded me to go ahead and set up 2-step authentication on Google, and I am damn glad I did.

Re:Yet another post on this idiot? (1)

Anonymous Coward | about a year and a half ago | (#40907057)

I find that people complaining about the backup habits of other users are typically the ones with no solid backup plans themselves. Of course, I can't say if this is true in your case. You're correct in your assertion that he should've had backups, however.

Social engineering has everything to do with security, by the way. If you're vulnerable to social engineering (either via lack of proper security policies or a failure in training of personnel that have access to sensitive data), your security is compromised. The need for security does not end at securing software services.

Re:Yet another post on this idiot? (0)

Anonymous Coward | about a year and a half ago | (#40907643)

And why cry for an idiot who had NO personal backups of his own data?

He did have a backup, it was in The Cloud(TM).

He's an idiot.

Yes. He is an idiot for trusting Apple's security implementation.

Re:Yet another post on this idiot? (0)

Anonymous Coward | about a year and a half ago | (#40907723)

Seriously, why is everyone screaming security when it was not a hack but a social engineering entry? And why cry for an idiot who had NO personal backups of his own data? He's an idiot.

Seriosuly, why cry for an idiot who got his skull fractured during a home invasion robbery? He opened the door, didn't he? Oh wait, they kicked it in? Well, it's his fault for not having welded steel doorjambs and a 2-inch thick door. He's an idiot.

Email is the weakest link (3, Informative)

Anonymous Coward | about a year and a half ago | (#40906107)

When a password reset is requested, a new password is sent to your email address. So, if a hacker gains access to your primary email account, then he has access to ALL of your accounts. (In fact, since email isn't encrypted, he only has to be able to intercept the password-reset message somewhere in transit.)

Email is the weakest link on the internet.

Re:Email is the weakest link (2)

gander666 (723553) | about a year and a half ago | (#40907163)

Email is the weakest link on the internet.

This. I am amazed by the professionals in information handling who genuinely answer that Email is fine for exchanging sensitive information. I heard a hospital IT manager honestly answer that he thought that email of patient record via PDF was fine. Sigh.

Re:Email is the weakest link (0)

Anonymous Coward | about a year and a half ago | (#40908051)

It isn't?!

What would you recommend for transferring that information digitally rather than resorting to plain paper mail in a secure envelope?

Re:Email is the weakest link (1)

Vairon (17314) | about a year and a half ago | (#40907537)

It is no longer entirely true that e-mail is not encrypted. Many SMTP servers support encryption using SSL or TLS when communicating with another SMTP server. For example here is an example of an SMTP server receiving an e-mail from one of Google's gmail SMTP servers.

Aug 7 13:33:28 x postfix/smtpd[22642]: setting up TLS connection from mail-gh0-f182.google.com[209.85.160.182]
Aug 7 13:33:28 x postfix/smtpd[22642]: Anonymous TLS connection established from mail-gh0-f182.google.com[209.85.160.182]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)

I believe this behavior is defined by RFC 3207 [ietf.org]
If you manage a Postfix SMTP server and have not enabled TLS support I would suggest you read
http://www.postfix.org/TLS_README.html [postfix.org]

Re:Email is the weakest link (0)

Anonymous Coward | about a year and a half ago | (#40908637)

Many SMTP servers support encryption using SSL or TLS when communicating with another SMTP server.

But there is no guarantee that all of the SMTP servers from the source to the destination will be encrypting the messages. A user might be able to ensure that he has an encrypted connection to his ISP's SMTP server, but he cannot be sure that there will be encryption anywhere else. The current infrastructure of the internet is not guaranteed to be secure.

Defending in Depth? Or Eggs in All Baskets? (0)

darkmeridian (119044) | about a year and a half ago | (#40906209)

My current theory on cyber security is to put all of my eggs in a few baskets rather than spreading them out. My primary email accounts are operated by Google, with Google Authenticator providing two-factor security. I have LastPass providing complex and unique passwords for every website out there, and again, I have Google Authenticator providing two-factor security for that as well. Because LastPass has essentially scrambled all of my logins, I cannot access any website--including the email--without LastPass and two-factor security. All of my pictures and docs are backed up using CrashPlan with client-side encryption, with the key stored on LastPass. This set up seems smarter than spreading everything thinly.

Re:Defending in Depth? Or Eggs in All Baskets? (0)

Anonymous Coward | about a year and a half ago | (#40906511)

this seems pretty smart to me. Thanks for the ideas mate.
j

Re:Defending in Depth? Or Eggs in All Baskets? (1)

KhabaLox (1906148) | about a year and a half ago | (#40906967)

I use LP too, though I have to confess that I don't make full use of their password generation feature. I haven't tried the mobile apps - do those make it easy to log into sites from your phone? What about when you're at a different computer (not your own) - you simply use the mobile app to retrieve your password?

Re:Defending in Depth? Or Eggs in All Baskets? (1)

michaelwigle (822387) | about a year and a half ago | (#40907775)

I use LP too, though I have to confess that I don't make full use of their password generation feature. I haven't tried the mobile apps - do those make it easy to log into sites from your phone?

Yes..

What about when you're at a different computer (not your own) - you simply use the mobile app to retrieve your password?

... and yes (if by mobile app you mean log on to the web site). You could, of course, also have a mobile version of Firefox with Lastpass so there is no danger of keylogging your Lastpass sign-in.

Amazon screwed up and enabled Apple screwup. (1)

Anonymous Coward | about a year and a half ago | (#40906323)

So, the Apple intrusion would not have happened if Amazon had not facilitated the recovery of this guy's credit card details.

If Amazon had not allowed the addition of a credit card number OVER THE PHONE and had not reset the password OVER THE PHONE all would have been ok.

Both Apple and Amazon should have required email confirmation before resetting passwords.

I RTFA, I call BS On This Being A Cloud Problem... (0)

Anonymous Coward | about a year and a half ago | (#40907031)

This is just run of the mill human fail in multiple ways, by multiple people, who should know better. Yawn, it is not surprising or spectacular.

Cloud services are some of what he was using that was chained together that made it easier for the hacker, but it didn't fail, in fact, it worked spankingly good! Took out all his Apple with one account, I call that working great... What did fail was the dude not having his digital pics on his laptop backed up.

Gee, not only is there no privacy on the web (1)

mikein08 (1722754) | about a year and a half ago | (#40907167)

there's no security either!! But we've all known this for a very long time, now haven't we??? And you're going to entrust your persoal data to "the cloud"???

Whine (0)

Anonymous Coward | about a year and a half ago | (#40907659)

Thanks for warning everyone else to not be such a dumbass and include easy ways for an attacker to tip over your entire security posture. Yes, enable two-factor, yes, backup, we get it, you didn't do this and now you're screwed. Why is this Apple or Amazons fault? If your in a position to write a blog that gets significant attention across the web, secure your shit.

How this happened (0)

Anonymous Coward | about a year and a half ago | (#40907921)

People created banks.
Banks created currency - a way for people to buy things without having to lug around a sack of whatever they grew.
Economies grew. Production economies became consumer economies because there was just so much stuff to buy.
Consumer economies circulate currency faster than banks can easily count it. Banks then want an easily calculatable currency.
Computers are made to calculate. Banks created as system where currency became computer code.
People still wanted banks to act like banks. They want their money to be visible. The only way to make digital money visible was to give people access to the computers and the easiest way for banks to grant access was through the internet. Q.E.D.

Here' s an interesting fact: the Internet is NOT the only way banks could have provided access to their computers, it's just the easiest. Creating a secure banking protocol and connecting it up to the internet through a proprietary VPN connection would be much safer but probably much more expensive and we all know how banks are about money.

2-step authentication from google is sub-par. (1)

Eldragon (163969) | about a year and a half ago | (#40907965)

2-step authentication from Google still requires a cell phone. For anyone who does not own a cell phone (such as myself), it is major hurdle to upgrading the security on my account.

It is a shame google does not sell SecurID or similar key fobs for those who want security, but don't have a cell phone.

Clouds! (2)

DarthVain (724186) | about a year and a half ago | (#40908139)

It doesn't surprise me in the least that clouds are not secure. I mean they are fluffy white things in the sky made mostly from water vapour. How can something like that be secure! Though they are someone intangible, and pretty hard to reach without some sort of assistance from earth. But hell birds can access them, birds! Do you think anything that birds can access is really secure?

Birds, the sky hackers!

Also Apple tech support sucks (believe me, I used to know some), and don't use the same password for everything...

Well I'm off, gotta go change my Apple passwords, see ya! :)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...