Epic Hacking Research Paper
How Apple and Amazon Security Flaws Led to The Epic Hacking of Mat Honan
Meet Mat Honan. He just had his digital life dissolved by hackers. On Friday Aug.3.2012 Mat Honan’s personal Computer (PC) system was invaded by hackers. In the space of one hour, Mat’s entire digital life was destroyed. First his google account was taken over, then deleted. Next his twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, Honan’s Apple ID account was broken into, and his hackers used it to remotely erase all of the data on his IPhone, IPad, and MacBook.
Had he been regularly backing up the data on his MacBook, he wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of his daughter, or documents …show more content…
and e-mails that he had stored in no other location.
-Honan realized something was wrong at about 5 p.m. on Friday. He was playing with his daughter when his iPhone suddenly powered down. He was expecting a call, so he went to plug the phone back in.
It then rebooted to the setup screen. This was irritating, but he wasn’t concerned. He assumed it was a software glitch. And, his phone automatically backs up every night. He just assumed it would be a “pain in the ass”, and nothing more. He entered his iCloud login to restore, and it wasn’t accepted. Again, although he was irritated, he was not alarmed.
He went to connect the iPhone to his computer and restore from that backup, which he had just done the other day. When he opened his laptop, an iCal message popped up telling him that his Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN, which he never had.
By now, Mat knew something was very wrong. For the first time it occurred to him that he was being hacked. Unsure of exactly what was happening, he unplugged his router and cable modem, turned off the Mac Mini which his entire family uses as an entertainment center, grabbed his wife’s phone, and called AppleCare, the company’s tech support service, and spoke with a representative for the next hour and a half.
It wasn’t the first call they had had that day about Mat’s account. In fact, he later found out that a call had been placed just a little more than half an hour before his own. But the Apple representative didn’t bother to tell him about the first call concerning his account, despite the 90 minutes he spent on the phone with tech support. Nor did Apple tech support ever tell him about the first call voluntarily, it only shared this information after he asked about it. And he only knew about the first call because a hacker told him he had made the call himself.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be Mat Honan. Apple says the caller reported that he couldn’t get into his Me.com e-mail, which, of course was Mat’s Me.com e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions which Mat had set up. And Apple did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone could discover.
At 4:50 p.m., a password reset confirmation arrived in Mat’s inbox. He hardly really used his me.com e-mail, so he rarely checked it. But even if he did, he might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset his AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in Mat’s me.com mailbox. Two minutes later, another e-mail arrived notifying him that his Google account password had changed.
At 5:02 p.m., they reset his Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe Mat’s iPhone. At 5:01 they remotely wiped his iPad. At 5:05 they remotely wiped his MacBook. Around this same time, they deleted his Google account. At 5:10, he placed the call to AppleCare. At 5:12 the attackers posted a message to his account on Twitter taking credit for the hack.
By wiping his MacBook and deleting his Google account, they now not only had the ability to control his account, but were able to prevent him from regaining access. And crazily, in ways that he never will never understand, those deletions were just collateral damage. His MacBook data, including lots of irreplaceable pictures of his family, of his child’s first year and relatives who have now passed from this life, weren’t the target. Nor were the eight years of messages in his Gmail account. The target was always Twitter. His MacBook data was torched simply to prevent him from getting back in.
Lulz.
Mat spent an hour and a half talking to AppleCare. One of the reasons it took him so long to get anything resolved with Apple during his initial phone call was because he couldn’t answer the security questions it had on file for him. It turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line said “Mr. Herman, I….”
“Wait. What did you call me?”
“Mr. Herman?”
“My name is Honan.”
Apple had been looking at the wrong account all along. Because of that, Mat couldn’t answer his security questions. And because of that, it asked him an alternate set of questions that it said would let tech support let him into his me.com account: a billing address and the last four digits of his credit card. (Of course, when he gave them those, it was no use, because tech support had misheard his last name.)
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Apple tech support confirmed to him twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. He was very clear about this. During his second tech support call to AppleCare, the representative confirmed this condition to him. “That’s really all you have to have to verify something with us,” he said.
They talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. They were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them. By exploiting the customer service procedures employed by Apple and Amazon, hackers were able to get into iCloud and take over all of Mat Honan’s digital devices and data.
On the night of the hack, Mat tried to make sense of the ruin that was his digital life. His Google account was nuked, his Twitter account was suspended, his phone was in a useless state of restore, and (for obvious reasons) he was highly paranoid about using his Apple email account for communication.
So he decided to set up a new Twitter account until his old one could be restored, just to let people know what was happening. He logged into Tumblr and posted an account of how he thought the takedown occurred. At this point, he was assuming that his seven-digit alphanumeric AppleID password had been hacked by brute force. In the comments (and, oh, the comments) others guessed that hackers had used some sort of keystroke logger. At the end of the post, he linked to his new Twitter account.
And then, one of his hackers @ messaged him. This individual would later identify himself as Phobia. Mat followed him. He followed Mat back.
They started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and Mat’s compromised accounts that it became clear he was, at the very least, a party to how it went down. Mat agreed not to press charges, and in return the hacker laid out exactly how the hack worked. But first, he wanted to clear something up:
“didn’t guess your password or use bruteforce. i have my own guide on how to secure emails.”
Mat asked him why and if he was specifically targeted or if this was just to get to Gizmodo’s Twitter account. No, Phobia said they were not even aware that Mat’s account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. Phobia said the hack was simply a grab for Mat’s three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.
“I honestly didn’t have any heat towards you before this.
i just liked your username like I said before” he told Mat via Twitter Direct Message.
After coming across Mat’s account, the hackers did some background research. His Twitter account linked to his personal website, where they found his Gmail address. Guessing that this was also the e-mail address he used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because Mat didn’t have Google’s two-factor authentication turned on, when Phobia entered his Gmail address, he could view the alternate e-mail Mat had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.
This was how the hack progressed. If Mat had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here. But using that Apple-run me.com e-mail account as a backup meant he told the hacker he had an AppleID account, which meant he was vulnerable to being
hacked. Be careful with your Amazon account — or someone might buy merchandise on your credit card, but send it to their home.
“You honestly can get into any email associated with apple,” Phobia claimed in an e-mail. And while it’s work, that seems to be largely true.
Since he already had the e-mail, all he needed was Mat’s billing address and the last four digits of his credit card number to have Apple’s tech support issue him the keys to Mat’s account.
So how did Phobia get this vital information? He began with the easy one. He got the billing address by doing a who-is search on Mat’s personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.
Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to them, which they were able to verify via their own tech support phone calls. It’s remarkably so easy that Wired was able to duplicate the exploit twice in minutes.
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. They asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.
And so, with Mat Honan’s name, address, and the last four digits of his credit card number in hand, Phobia called AppleCare, and his digital life was laid waste. Yet still Mat was actually quite fortunate.
They could have used his e-mail accounts to gain access to his online banking, or financial services. They could have used them to contact other people, and socially engineer them as well. As Ed Bott pointed out on TWiT.tv, his years as a technology journalist have put some very influential people in my address book. They could have been victimized too.
Instead, the hackers just wanted to embarrass Mat, have some fun at his expense, and enrage his followers on Twitter by trolling.
He had done some pretty stupid things. Things you shouldn’t do.
He should have been regularly backing up his MacBook. Because he wasn’t doing that, if all the photos from the first year and a half of his daughter’s life were ultimately lost, he would have had only himself to blame. He shouldn’t have daisy-chained two such vital accounts; his Google and his iCloud accounts together. He shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And he should have had a recovery address that’s only used for recovery without being tied to core services.
But, mostly, he shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, Mat added that to my iCloud options too. After all, as a reporter, often on the go, his laptop is his most important tool.
But as a friend pointed out, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.
When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.
When Mat asked Phobia why he did all this to him, his answer was so dissatisfying. He said he likes to publicize security exploits, so companies will fix them. He said it’s the same reason he told Mat how it was done. Phobia claims his partner in the attack was the person who wiped his MacBook, then he expressed remorse for this, and said he would have stopped it if he had known.
“yea i really am a nice guy idk why i do some of the things i do,” he told Mat via AIM. “idk my goal is to get it out there to other people so eventually every1 can overcome hackers”
On AIM, when Mat asked him if he was sorry for doing that. Phobia replied, “even though i wasnt the one that did it i feel sorry about that. Thats alot of memories im only 19 but if my parents lost and the footage of me and pics i would be beyond sad and im sure they would be too.”
The weird thing is, Mat is not even especially angry at Phobia, or his partner in the attack. He is mostly mad at himself. He is mad as hell for not backing up his data. In many ways, this was all Mat’s fault. His accounts were daisy-chained together. Getting into Amazon gave his hackers access into his Apple ID account, which later helped them get into Gmail, then gave them access to Twitter. It’s possible that none of this would have happened, if he had used two-factor authentication for his Google account because their ultimate goal was always to take over his Twitter account and wreak havoc. Lulz.He is sad, and shocked, and feels he is ultimately to blame for that loss.
But Mat is also upset that this ecosystem that he has placed so much of his trust in has let him down so thoroughly. He is angry that Amazon makes it so remarkably easy to allow someone into a client’s account, which has obvious financial consequences. And then, he bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls his phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.
Lesson to Us !!
What happened to Mat Honan exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support had failed with security this time because they gave the hackers access to his iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number, that Apple used to release information. In short, the very four digits of the credit card, which Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. Such a disconnect exposes weaknesses in global data management policies, that are endemic to the entire IT industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Moreover, we should continue to beware, because if our computers aren’t already cloud-connected devices, they will be soon. Apple is presently working hard to get all of its customers to use iCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit tens of millions of desktops in the coming year. Honan’s experience leads us to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms, which can be cracked, reset, and socially engineered, no longer deliver sufficient security in this era of cloud computing.
Meet Mat Honan. He just had his digital life dissolved by hackers. On Friday Aug.3.2012 Mat Honan’s personal Computer (PC) system was invaded by hackers. In the space of one hour, Mat’s entire digital life was destroyed. First his google account was taken over, then deleted. Next his twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, Honan’s Apple ID account was broken into, and his hackers used it to remotely erase all of the data on his IPhone, IPad, and MacBook.
Had he been regularly backing up the data on his MacBook, he wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of his daughter, or documents …show more content…
and e-mails that he had stored in no other location.
-Honan realized something was wrong at about 5 p.m. on Friday. He was playing with his daughter when his iPhone suddenly powered down. He was expecting a call, so he went to plug the phone back in.
It then rebooted to the setup screen. This was irritating, but he wasn’t concerned. He assumed it was a software glitch. And, his phone automatically backs up every night. He just assumed it would be a “pain in the ass”, and nothing more. He entered his iCloud login to restore, and it wasn’t accepted. Again, although he was irritated, he was not alarmed.
He went to connect the iPhone to his computer and restore from that backup, which he had just done the other day. When he opened his laptop, an iCal message popped up telling him that his Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN, which he never had.
By now, Mat knew something was very wrong. For the first time it occurred to him that he was being hacked. Unsure of exactly what was happening, he unplugged his router and cable modem, turned off the Mac Mini which his entire family uses as an entertainment center, grabbed his wife’s phone, and called AppleCare, the company’s tech support service, and spoke with a representative for the next hour and a half.
It wasn’t the first call they had had that day about Mat’s account. In fact, he later found out that a call had been placed just a little more than half an hour before his own. But the Apple representative didn’t bother to tell him about the first call concerning his account, despite the 90 minutes he spent on the phone with tech support. Nor did Apple tech support ever tell him about the first call voluntarily, it only shared this information after he asked about it. And he only knew about the first call because a hacker told him he had made the call himself.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be Mat Honan. Apple says the caller reported that he couldn’t get into his Me.com e-mail, which, of course was Mat’s Me.com e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions which Mat had set up. And Apple did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone could discover.
At 4:50 p.m., a password reset confirmation arrived in Mat’s inbox. He hardly really used his me.com e-mail, so he rarely checked it. But even if he did, he might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset his AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in Mat’s me.com mailbox. Two minutes later, another e-mail arrived notifying him that his Google account password had changed.
At 5:02 p.m., they reset his Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe Mat’s iPhone. At 5:01 they remotely wiped his iPad. At 5:05 they remotely wiped his MacBook. Around this same time, they deleted his Google account. At 5:10, he placed the call to AppleCare. At 5:12 the attackers posted a message to his account on Twitter taking credit for the hack.
By wiping his MacBook and deleting his Google account, they now not only had the ability to control his account, but were able to prevent him from regaining access. And crazily, in ways that he never will never understand, those deletions were just collateral damage. His MacBook data, including lots of irreplaceable pictures of his family, of his child’s first year and relatives who have now passed from this life, weren’t the target. Nor were the eight years of messages in his Gmail account. The target was always Twitter. His MacBook data was torched simply to prevent him from getting back in.
Lulz.
Mat spent an hour and a half talking to AppleCare. One of the reasons it took him so long to get anything resolved with Apple during his initial phone call was because he couldn’t answer the security questions it had on file for him. It turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line said “Mr. Herman, I….”
“Wait. What did you call me?”
“Mr. Herman?”
“My name is Honan.”
Apple had been looking at the wrong account all along. Because of that, Mat couldn’t answer his security questions. And because of that, it asked him an alternate set of questions that it said would let tech support let him into his me.com account: a billing address and the last four digits of his credit card. (Of course, when he gave them those, it was no use, because tech support had misheard his last name.)
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Apple tech support confirmed to him twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. He was very clear about this. During his second tech support call to AppleCare, the representative confirmed this condition to him. “That’s really all you have to have to verify something with us,” he said.
They talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. They were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them. By exploiting the customer service procedures employed by Apple and Amazon, hackers were able to get into iCloud and take over all of Mat Honan’s digital devices and data.
On the night of the hack, Mat tried to make sense of the ruin that was his digital life. His Google account was nuked, his Twitter account was suspended, his phone was in a useless state of restore, and (for obvious reasons) he was highly paranoid about using his Apple email account for communication.
So he decided to set up a new Twitter account until his old one could be restored, just to let people know what was happening. He logged into Tumblr and posted an account of how he thought the takedown occurred. At this point, he was assuming that his seven-digit alphanumeric AppleID password had been hacked by brute force. In the comments (and, oh, the comments) others guessed that hackers had used some sort of keystroke logger. At the end of the post, he linked to his new Twitter account.
And then, one of his hackers @ messaged him. This individual would later identify himself as Phobia. Mat followed him. He followed Mat back.
They started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and Mat’s compromised accounts that it became clear he was, at the very least, a party to how it went down. Mat agreed not to press charges, and in return the hacker laid out exactly how the hack worked. But first, he wanted to clear something up:
“didn’t guess your password or use bruteforce. i have my own guide on how to secure emails.”
Mat asked him why and if he was specifically targeted or if this was just to get to Gizmodo’s Twitter account. No, Phobia said they were not even aware that Mat’s account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. Phobia said the hack was simply a grab for Mat’s three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.
“I honestly didn’t have any heat towards you before this.
i just liked your username like I said before” he told Mat via Twitter Direct Message.
After coming across Mat’s account, the hackers did some background research. His Twitter account linked to his personal website, where they found his Gmail address. Guessing that this was also the e-mail address he used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because Mat didn’t have Google’s two-factor authentication turned on, when Phobia entered his Gmail address, he could view the alternate e-mail Mat had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.
This was how the hack progressed. If Mat had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here. But using that Apple-run me.com e-mail account as a backup meant he told the hacker he had an AppleID account, which meant he was vulnerable to being
hacked. Be careful with your Amazon account — or someone might buy merchandise on your credit card, but send it to their home.
“You honestly can get into any email associated with apple,” Phobia claimed in an e-mail. And while it’s work, that seems to be largely true.
Since he already had the e-mail, all he needed was Mat’s billing address and the last four digits of his credit card number to have Apple’s tech support issue him the keys to Mat’s account.
So how did Phobia get this vital information? He began with the easy one. He got the billing address by doing a who-is search on Mat’s personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.
Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to them, which they were able to verify via their own tech support phone calls. It’s remarkably so easy that Wired was able to duplicate the exploit twice in minutes.
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. They asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.
And so, with Mat Honan’s name, address, and the last four digits of his credit card number in hand, Phobia called AppleCare, and his digital life was laid waste. Yet still Mat was actually quite fortunate.
They could have used his e-mail accounts to gain access to his online banking, or financial services. They could have used them to contact other people, and socially engineer them as well. As Ed Bott pointed out on TWiT.tv, his years as a technology journalist have put some very influential people in my address book. They could have been victimized too.
Instead, the hackers just wanted to embarrass Mat, have some fun at his expense, and enrage his followers on Twitter by trolling.
He had done some pretty stupid things. Things you shouldn’t do.
He should have been regularly backing up his MacBook. Because he wasn’t doing that, if all the photos from the first year and a half of his daughter’s life were ultimately lost, he would have had only himself to blame. He shouldn’t have daisy-chained two such vital accounts; his Google and his iCloud accounts together. He shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And he should have had a recovery address that’s only used for recovery without being tied to core services.
But, mostly, he shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, Mat added that to my iCloud options too. After all, as a reporter, often on the go, his laptop is his most important tool.
But as a friend pointed out, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.
When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.
When Mat asked Phobia why he did all this to him, his answer was so dissatisfying. He said he likes to publicize security exploits, so companies will fix them. He said it’s the same reason he told Mat how it was done. Phobia claims his partner in the attack was the person who wiped his MacBook, then he expressed remorse for this, and said he would have stopped it if he had known.
“yea i really am a nice guy idk why i do some of the things i do,” he told Mat via AIM. “idk my goal is to get it out there to other people so eventually every1 can overcome hackers”
On AIM, when Mat asked him if he was sorry for doing that. Phobia replied, “even though i wasnt the one that did it i feel sorry about that. Thats alot of memories im only 19 but if my parents lost and the footage of me and pics i would be beyond sad and im sure they would be too.”
The weird thing is, Mat is not even especially angry at Phobia, or his partner in the attack. He is mostly mad at himself. He is mad as hell for not backing up his data. In many ways, this was all Mat’s fault. His accounts were daisy-chained together. Getting into Amazon gave his hackers access into his Apple ID account, which later helped them get into Gmail, then gave them access to Twitter. It’s possible that none of this would have happened, if he had used two-factor authentication for his Google account because their ultimate goal was always to take over his Twitter account and wreak havoc. Lulz.He is sad, and shocked, and feels he is ultimately to blame for that loss.
But Mat is also upset that this ecosystem that he has placed so much of his trust in has let him down so thoroughly. He is angry that Amazon makes it so remarkably easy to allow someone into a client’s account, which has obvious financial consequences. And then, he bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls his phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.
Lesson to Us !!
What happened to Mat Honan exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support had failed with security this time because they gave the hackers access to his iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number, that Apple used to release information. In short, the very four digits of the credit card, which Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. Such a disconnect exposes weaknesses in global data management policies, that are endemic to the entire IT industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Moreover, we should continue to beware, because if our computers aren’t already cloud-connected devices, they will be soon. Apple is presently working hard to get all of its customers to use iCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit tens of millions of desktops in the coming year. Honan’s experience leads us to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms, which can be cracked, reset, and socially engineered, no longer deliver sufficient security in this era of cloud computing.