On the evening of August 3, a group of hackers managed to blast a sizable hole in Wired writer Mat Honan’s digital life.
At 4:33 p.m., an attacker called AppleCare and supplied the customer-service representative with two pieces of vital information, easily discoverable with just a little bit of searching: Honan’s billing address and the last four digits of his credit card. Apple offered a temporary password, which the attacker used to take control of Honan’s account.
Where had the attackers managed to obtain the last four digits of Honan’s credit card? By calling Amazon tech support twice, the first time to add a new credit card number (doable by offering a name, email and billing address), the second to add a new email address to an account.
Between 4:52 and 5:12, the attackers used Honan’s Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities (“My accounts were daisy-chained together,” he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: “Clan Vv3 and Phobia hacked this twitter.”
“My experience leads me to believe that cloud-based systems need fundamentally different security measures,” Honan wrote. “Password-based security mechanisms—which can be cracked, reset, and socially engineered—no longer suffice in the era of cloud computing.”
For the Lulz
Cruise around the Web for any length of time, and you’ll stumble on a banner ad or Webpage from a company extolling the virtues of the cloud. Upload your information to our servers, those missives promise, and your digital life will become more streamlined and easier to manage. Your data—from your credit-card numbers and work documents to your meticulously assembled collection of concert recordings—is safe with us.
That data is also a treasure-trove to any hacker. Companies realize this, and invest millions of dollars in security software designed to repel attacks. But all the best-coded software in the world can’t prevent a determined attacker from calling or messaging a company representative and manipulating them into giving up vital information—a technique known as social engineering. “There’s no patch for human stupidity,” goes the cruel maxim.
“When I perform penetration tests, it will take me a week maybe to break into an organization. That’s a lot of time and effort,” David Kennedy, founder and principal security consultant of TrustedSec, wrote in an email. “Social engineering? Maybe a day to two days of research and simply picking up the phone and remaining calm.”
For consumer services such as Apple and Google, a massive organizational framework can prove a detriment when it comes to blocking social-engineering attacks. “In order to service that volume they have to have a large turnover on customer support lines and continuously training new people over and over,” Kennedy wrote. “There will continue to be lapses. If you attempt a social-engineer attack and it’s not successful, hanging up and calling back may be successful.”
Indeed, there’s a multitude of ways in which a skilled social engineer can manipulate perception and reality in order to penetrate a system. “The problem with social engineering is the creativity of the attacker and the ability to think on the fly in a situation,” Kennedy added. “It’s really dependent on the amount of (pardon the language) balls the person has to push the person on the other end.”
Some hackers want access to credit-card numbers or other corporate data. In Honan’s case, it seems his attackers were simply interested in posting an embarrassing Twitter message. They did it for the Lulz.
In a statement forwarded to multiple media outlets, including The New York Times, Apple spokesperson Natalie Kerris suggested that the company was reviewing its processes for resetting account passwords. “In addition,” she wrote, referring to Honan’s case, “we found that our own internal policies were not followed completely.”
In the wake of Honan’s high-profile hack, there are some key takeaways. Even if a typical user can’t prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital “hub” accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook.
The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target.
Image: Tanee Nomai/Shutterstock.com