'Hack' Attack on Journo Was Just a Simple Engineering Feat
Aug 6, 2012 12:11 PM PT
In the movies, hackers often type away at a keyboard and somehow -- movie magic, perhaps -- manage to crack a network's security and access encrypted files and protected data. In real life, bypassing security measures can be as simple as sweet-talking tech support.
That is how tech journalist Mat Honan, a former Gizmodo writer, came under attack. Someone called Apple's support staff and gained control of Honan's iCloud storage account, which compromised his associated Apple devices, and even his Gmail and Twitter accounts.
Honan could only watch as his iPhone went dead, and his iPad and MacBook contents were erased. The hacker brazenly sent racist tweets not only from Honan's personal Twitter account but also from a Gizmodo account he used when he worked there.
If all this could happen to a tech-savvy writer, how safe can the average user be?
"The most important thing to understand is that this is not a hacking attack," said Alan Webber, principal analyst for the Altimeter Group. "It is totally a social engineering problem -- 100 percent."
Mat Honan and Apple did not respond to our request for further details.
Social Networking Opens Social Engineering Window
Just as users need to be cautious about the phishing techniques used to steal personal information, they need to be aware that social networks such as Twitter and Facebook -- which allow users to share personal information about themselves -- have opened holes that hackers use to exploit their systems.
This isn't new however.
"Actually social engineering -- phishing or pretexting -- preceded technology and remains the easiest way to get through most security systems, physical or electronic," said Rob Enderle, principal analyst for the Enderle Group. "It is well past time we should have fixed this."
While it is easy to paraphrase Benjamin Franklin, who suggested that "he who sacrifices freedom for security deserves neither," we actually shouldn't confuse freedom with convenience in the digital space.
"There absolutely needs to be a balance between security and convenience," Webber told TechNewsWorld. "But convenience is overrated when it comes to backing up to protect against this type of attack."
Lack of Redundancy
The fact that Honan was hacked in the way he was actually isn't that surprising. The initial failure appeared to be Apple's, as the hacker was able to con the tech support staffer into resetting a password. This allowed access to the iCloud.
"Generally the easiest way through security is with a phishing attack through support. You convince them you are the owner of the account and that your email address has changed -- having set up an address that looks like the owner's -- and have them reset the password and send to the email address," explained Enderle.
"Challenge questions, if they exist, often can be easily figured out from Facebook accounts or CVs that are public -- if those questions exist -- and the user is pretty much screwed," he said.
"Unwinding it all can be a painful process," added Enderle.
The lack of redundancy in backups is what makes the process especially difficult. Here is where the convenience of having everything in the cloud made Honan's situation worse. Once the backup was taken over, it allowed the actual devices to be compromised in the process.
Multiple back-ups -- or better still, backups on different systems -- are advisable.
"I have my iPhone and iPad on different accounts," said Webber. "If I lose one, I don't lose the other. It is simple to do. So what happened to Mat is horrible, but he really missed some bases. When you look at the timeline in his case, it just took 25 minutes for a complete takeover of everything!"
Too Much Convenience
The issue circles back to the need for convenience. For companies, it is easier to fix one problem and go on to the next problem, which in situations like this creates a bigger problem.
"Most of these services are free or near free, which means things like password resets are often automated," said Enderle, "and if you get to a live person, they are motivated to fix the problem as quickly as possible. Increasingly, banks and services are moving to dual-factor authentication, where you need both a password and an approved device to get in -- but phishing attacks can still get around that."
The problem is that passwords aren't the best solution. Users are told not to make them easy for hackers to crack, but those that are difficult mean they're too easily forgotten, which in turn means tech support people are asked to reset them. That opens the door for hackers to sweet-talk tech support and worm their way in.
"In the end, we desperately need a way for you to identify yourself, and we've known for decades that passwords are inadequate for the task," emphasized Enderle.
"If they are easy to remember, they are easy to figure out -- and if they aren't easy, folks will write them down," he said", the first opening them up to physical theft, and the second to successful phishing attacks against easy and/or cheap reset processes."