[Article first published as The “Epic Hack” of Wired’s Mat Honan – Social Engineering at Work on Blogcritics.]
I spend a lot of time and effort attempting to keep people safe in the digital age. Whether it’s on a professional level at my job or through my writing or social media, to me it’s important that everyone is as safe as they can be, knowing that nothing is 100% foolproof. Part of what I do professionally is keeping computer systems safe, and even I have had to go through the pains of wiping everything from my computer and starting from scratch more than a couple times. It happens. Even to the nerd elite.
So when someone brings me their machine or reports some sort of issue, I know it’s going to be one of a few things – (1) a virus, (2) malware/scareware or (3) phishing scams. But these are all software methods with the aim of destruction or data theft. Sometimes, especially with scareware, someone’s looking for the user to give up a credit card number, a user name or password, account numbers of any kind, hell, even social security numbers. The reason is that any combination of these things can be pieced together enough for someone to pass themselves off as you. And once that happens, your digital life can be reduced to ruins. Accounts or credit cards can be opened in your name, and you can wave bye-bye to your credit, your money, or even your good name. There are a lot of snippets of code or scripts or SQL injections (and blah blah the list goes on) that can do this to you. But in my experience, knowing what I know and having had to help people protect against it, I’ve found that there’s one tool that works better than all of the above combined, and that’s social engineering. Low tech compared to software hacks, but highly efficient. I wrote a bit a while ago on the topic concerning RSA if you want some details, but I’ll nutshell the concept for you – social engineering means hacking people, not machines.
It’s a fancy way of saying “tricking people into giving up information.” And attempts have been made on all of you, whether you know it or not.
So why am I going all into this topic today? Unfortunately the way things work in this world is that something has to happen to someone with some clout for an issue to be addressed. What I just described happened recently to Wired Magazine’s Mat Honan. A bit of social engineering with some security holes at both Amazon and Apple led to what Honan addresses as an “epic hacking.” He outlined his experiences for all to read yesterday, and it is 100% worth the read if you have a couple of minutes to do so. He details everything to the what and the how all the way to actual talking to the hacker that broke into his life and the conversation they had. I’ll go over a little of it here.
Mr. Honan realized there was a problem on Friday – while he was trying to restore his iPhone, he was getting messages on his MacBook that his saved account information was wrong, asking him for a 4-digit PIN number. The problem was, he didn’t have a 4-digit PIN number.
His timeline that follows should scare the living hell out of you. Especially those of you that entrust all of your accounts to an AppleID.
Upon calling AppleCare for help, it was confirmed that they handed over temporary .me e-mail credentials to someone claiming to be him, and he watched over the next hour as that person reset credentials on his twitter, then his Gmail, then wiped his iPad, and permanently reset his AppleID. But that was only the start – next was outright deletion of his Google account, followed by a remote “Find My” data wipe of his MacBook. Now not only were all of his accounts effectively locked out to him, but anything on any of his devices that wasn’t backed up was gone forever. Maybe not such a big deal on his iPhone or iPad, but on a MacBook, his primary machine, that’s a big deal. He lost pictures of his kids, all of his email, and other data from the laptop that he’d never see again. The hacker posted a new status on his now hacked twitter account – ” Clan Vv3 and Phobia hacked this twitter.”
What the hell happened? On his extensive talk with AppleCare, he realized that all that was needed to get a temporary .me password reset were the last 4 digits of your credit card number and a billing address. And how did they get that information? Afterwards the hacker (Phobia) contacted Honan. In Honan’s words:
“After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.”
Two-factor authentication being turned on probably would have been the end of this story.
But it went on. Phobia indicated that any email address associated with an Apple account is pretty easy to get, and Amazon was the next target. The same kind of trickery was used to fool Amazon into believing that Phobia was a legitimate Amazon user that couldn’t access their account – changing the associated email, getting a password reset sent to that email, and logging in. And what’s on file on an Amazon account? You guessed it, the last 4 digits of the user’s stored credit card numbers.
And that’s how it all comes together. Like I said at the top of the post – Low tech, high efficiency.
Mr. Honan asked Phobia why they did this to him. Phobia’s response was that they like to publicize security exploits so that all users can see what happens and be able to defend themselves from hackers. It sounds like the so-called “hacktivism” we’ve seen over the last two years with stories like Sony’s PSN fiasco. But I’m really not sure how destroying a private user’s irrecoverable data was needed to make their point. If you want to do this thing for the public good, it is well within your power to do it without hurting any of the public involved.
But I digress. Admittedly Mr. Honan made a lot of mistakes on how he had his personal security set up that led to his digital demise. I don’t mean stuff like strong passwords for people trying to hack their way in through brute force. I mean other things people can do specifically to reduce their risk of low-tech hacks. And I’m going to walk you through some of them to help you all stay a little safer at home.
>Right off the bat he broke one of the cardinal rules of keeping your stuff safe – routine backups of important information. Personally about once a month, or when I do something important or official, I back up one or more file sets. It’s the single best way of adding a layer of redundancy to your data in case something should go wrong. You can use external USB drives, a cloud solution (if you’re into that), CD’s or DVD’s, or a number of other forms of media. Apple operating systems as well as Microsoft’s Windows OS’s come with native tools to back up your data.
Secondly, he used a common prefix for all of his accounts. if you have multiple email accounts, try not to use the same prefix for all of them – as in abc@hotmail.com, abc@yahoo.com, abc@me.com, etc. If someone knows one of your addresses it becomes that much easier to guess what your other accounts could be called.
For Google accounts and increasing in popularity in a lot of things is two-factor authentication. For those of you that play any Blizzard games, this is the equivalent of your Authenticator. It means that even if someone has your password, they can’t alter your user info without that second piece of information. Google and others use an “alternate email” or even phone numbers for extra verification.
Next is something that’s Mac-specific, and that’s the Find My Mac feature. This is a great feature for the iPhone, because people lose their phones pretty frequently, and need to have some sort of tool to wipe that data. For a laptop it could be useful, but be real, how apt are you to lose your laptop like you could lose your phone? And as Honan notes, there’s some problems with implementing the service that has been part of their system starting with the Lion OS. Reversing a remote hard drive wipe is easy – but only if you’re the one that did it. If someone remotely wipes your machine, you don’t have the PIN number you need to make that happen. So until they improve it, my suggestion for most of you is to turn Find My Mac off.
In addition to these things that were relevant in what happened in this case, you need to make sure you know who you’re giving information to and what you’re entering information into. Let me give you an example – if I get a call claiming that there’s an issue with my credit card, I don’t engage it. I will call my bank myself using a number that I know is real so I minimize any chances of someone getting my information. It’s little things like this that will help you minimize your risk of becoming a victim of social engineering. And with all of the forms of social media, email and other types of accounts, there’s more information out there to be got than ever before.
Since this event occurred, Apple has suspended over-the-phone AppleID password resets and Amazon has tightened up their security as well. Unfortunately Mr. Honan had to get hacked for them to take a closer look at their practices.
If you have any questions, of course you know by now that I’m here for you America. You can find me at helpdesk@tusharnene.com if you need some pointers. Of course I can’t do the fixes for you (I do have a day job) but I can try and point you in the right direction.
This incident goes to show why validating with a pin that isn't recorded anywhere is better than the last four of a CC; at the very least the last 6 of a CC should be used if that's an option