It seems logical that the easiest attack vector for any type of cloud storage is through social engineering. You're essentially protecting potentially valuable or incriminating data behind millions of dollars worth of firewalls, encryption and other technology... or a customer service representative paid $10-15/hr, if that.
Depending on how valuable the data is to you, it might be easier to just pay off a CSR, and then fake a phone call where you pretend to convince that CSR that you are that person. The person will get fired, but probably won't go to jail unless they can prove collusion. And then they can either find a new job, or depending on which country the person is living in, they can live nicely off of the money for a while.
I'm not sure how to solve this problem, except by having highly paid and specially trained CSRs that do the account resetting, or by never allowing resetting ever, and if you forget your password and your security questions, you're SOL.
I have to admit this only makes me more leery of putting anything on cloud storage, although my own personal data is pretty useless to anyone, which is my only saving grace. Others who are more important might need to think twice about relying on these types of services.
I'll confess, I honestly didn't even consider the possibility that the hacker just social-engineered Apple support. I mean, Mitnick wrote an entire book about that kind of stuff, and the whole HBGary thing went down in sort of the same way, but ... still, to be able to call up the support department of a major technology (!) company, in 2012, pretending to be someone else and get access to their account that way? Apple didn't send a text message to his number-on-file? They didn't try a callback? Were there any challenge-response questions at all?
That's absurd.
This should make every iCloud user reeeeeaally nervous.
Easy. CSR has exactly the same screen as you do. With the same security questions as you have. In this case it seems, those questions were never asked. You design CSR frontend where they must themselves answer those questions before proceed. You may pay off that CSR, but she/he does not know answers to those questions so she/he can not do a thing.
If you forgot answer to those questions, alert is escalated, which needs two together CSR's + their supervisor to unlock your account + you must make Facetime call + whole process gets documented carefully.
Perhaps what they need here is an optional 24-hour password reset delay. A user could only adjust this setting when properly logged in. Even if Apple gets social engineered, the user has 24 hours to notice the difference.
Although it's extremely inconvenient to wait 1 full day to get back in, forgetting a password should be a rare circumstance .
This _could_ be a lesson in not trusting cloud services where issues can be resolved by human intermediaries. Sounds a bit counter-intuitive but to me a bit more reassuring. But I could be wrong.
Whoa, wait, what? What occured was a simple confidence hack, not some industrial spy escapade.
Anyway, to answer your initial point, two factor authentication helps with this problem, as you have to still have the security token to authenticate. And if the "Something you have" gets stolen, then you need a manager to work through it to get you set up again, and all resets are heavily monitored and audited.
The thought hadn't cross my mind, but after reading this post it got me thinking:
Sensa
So, let's get this straight...a hacker "decides" to hack the account of a semi-high profile tech guy and then after committing several serious crimes like fraud that could land him in jail for an extended period of time repeatedly contacts the person he hacked when he must know that Apple will surely pursue this matter?
To connect or not to connect? I have been debating the advantages and disadvantages of coupling both personal and work IT systems for some time now. If you tie your IT systems together, you can manage them more easily and efficiently. On the other hand, as in Mat's case, a single node failure can cause an entire system to collapse. For another example, consider fully automatic self-updating servers. Without safe-guards, a configuration bug can bring them all down within minutes. At this point, I think some coupling, but not total coupling, is best. Too little coupling won't allow enough productivity; too much increases your risk of system-wide failure.
From iCloud's ToS, it looks like it'd depend on whether a court finds this to be either "failure to use reasonable skill and due care" or "gross negligence":
APPLE SHALL USE REASONABLE SKILL AND DUE CARE IN PROVIDING THE SERVICE. THE FOLLOWING LIMITATIONS DO NOT APPLY IN RESPECT OF LOSS RESULTING FROM (A) APPLE'S FAILURE TO USE REASONABLE SKILL AND DUE CARE; (B) APPLE'S GROSS NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD; OR (C) DEATH OR PERSONAL INJURY. [Blanket disclaimer of liability in all other cases follows.]
I'd be curious if there is any good precedent on product liability for cloud services.
I don't think I would label this horrible behavior on the part of Apple. When you provide customer service for something like iCloud things like these are bound to happen. This is a case of social engineering not some tech rep downloading plaintext passwords to a laptop and losing it. With a really targeted attack they are bound to be successful with some rep. Its a matter of when not if. Having said that they will improve their support with this. And the guy could end up suing Apple as well.
I hope he sues Apple too. Not because I want any harm to come to Apple, but because I want Apple to have a significant financial incentive to push authorities to track down the villain.
One of the main issues with the Apple ID is the ease of use vs security. Tying the remote wipe functionality with the ability to purchase low cost content (the primary use case for the Apple ID) is always going to have one group of users unhappy.
I frequently want to quickly purchase a song on my iPhone. I also, frequently tell my friends my password so they can do the same. How many of you have typed your Apple ID password on your Apple TV with others watching? I wouldn't really ask my friends to exit the room to type in a super secure and long password with many characters groups (one that should be required for remote wipe functionality).
How many users keep their password secure knowing the main place they enter it is on their iOS device? For the many every day Apple users I know, they set their passwords to something easy so they don't have to hit their keyboard too many times when entering them.
If Apple, can separate the two authentication functions as they do with OS X and FileVault it would go a long way to preventing these types of rare but high impact events. Another suggestion would be to separate the remote wipe into two phases, erasing the keys and cleaning up the data. The initialization vectors (seed) do present a bit of a problem but I think the FileVault solution is more than adequate. If the encryption keys and the key escrow system is cleared remotely, that would leave me comfortable that my data is still secure. If we really trust our crypto algorithms, then erasing data and removing the encryption keys should really be no different. Users that do not have iOS data protection and OS X FileVault turned on, cannot be considered any level of secure anyway. And even with that data protection turned on, there are still many issues due to each app needing to implement security properly. It would be really great to see Apple improve their App Store to really audit the security of each application more than they do today.
Most of the work lies with Apple but it is a hard problem that will take time. I think Apple is going in the right direction by centralizing on iCloud rather than the PC as the central hub. This will give them a lot more flexibility and agility to move quicker and deliver secure results to the masses.
Absolutely. Forcing users to input their password each time they buy something from iTunes, or log into iCloud in the browsers, encourages simpler passwords. To have a single account in control of everything from buying a $1 song to remote-wiping a computer is madness.
Social Engineering will usually win out as long as a person is in the loop. It's just not feasible to expect a poorly paid CSR to be able to cope with this type of threat.
In the end, a company has to constantly weigh the cost of strong protections versus the risk, and what this exposure will cost them in terms of customer goodwill as well as any civil penalties that may arise.
Actually, it appears to me that almost 100% of “security questions” used during support phone calls are completely insecure.
Usually they'll ask a few (2~3 is normal) questions like your full name, date of birth, address with zipcode, email address, etc. Notice the problem of these? All of them, I mean, ALL, are PUBLIC INFORMATION THAT ANYONE KNOWS SOMETHING ABOUT YOU WILL HAVE.
This is almost as silly as credit cards, where you are supposed to give the card number, card holder's name (not required most of the time), expire date, and the 3-digit PIN. Anyone who touches your card will have that information, once and forever. Yes, ANYONE, that includes your grocery store cashiers, your favorite bar tenders, your mobile phone billing representatives, etc. The list could go on very, very long.
And I'm totally amazed that both systems persist as a fallback plan in this digital world with countless attacking vectors.
Are they saying Apple sent the password reset request to a different backup email entirely? Or that they reset the password to a requested password while one the phone?
Even if someone had properly identified themselves as Mat Honan, neither of these should be permitted.
Mat posted a screenshot of his Gmail inbox which showed an email about Apple's password reset. So I'm guessing the hackers had compromised Gmail account BEFORE they called up Apple tech support. Or maybe that email was just an attempt and didn't help anyway with the actual password retrieval. I'm confused about this...
One problem is I have no idea what physical address Apple has for me, but I'm sure I have moved at least three times (as many as five) since I gave them that address.
A better solution is require a notarized physical mail in the event of password changes for high-security accounts. Everything else just goes to your email account.
In all fairness to Apple and any support desk, it ain’t hard to bypass a control system were one human talks to another exchanging information that is mostly in the public domain or bypassed using emotional based social engineering (sounding as if in a panic and your mother is in hospital for example). Support is human.
I helped a friend set-up a account with some provider the other day and one of the security question was the classic choice of mothers maiden name, favourite colour or favourite number. All of which are hardly secure as they can be obtained or educated-guessed a lot easier than most, but that’s another discussion. He wanted his favourite football player's name, so I told him pick mothers maiden name and use your favourite football players name. He knows this, and even if somebody who knew his mothers maiden name would still fail on that security check.
What could Apple do; And they will do something I suspect. Well they could add voice recognition to there support call system or/and add preregister calling numbers only (excluding device phone numbers already to cover losing said device) like your office phone. But they will step up-to the plate and hopefully turn this around, any good tech company will do that (even if it is going oops and we added password salts now - they evolve).
The whole aspect about all this that concerned me was how you can have what you perceive as a cloud backup that can then be taken away as well as your copy of the data. That is a lesson for the user more than Apple though. But will be reassuring to find out they have a backup system and maybe also concerning. That is a individuals perception of thought for them to ascertain for themselves, everybody is different.
I might also add that the chap who initial got hacked and subsequently also had his twitter accounts hacked said in a tweet that he is leaving the hacked tweets in the same way he does not go about removing scars on his body. Shows a insightful mindset and in many ways shows that pride was not a part of this and in that we would probably not of read about this had he been burdened by pride. Respect has to be noted there for him stepping up and going, this happened before he found out how it had been done and without knowing it was not an act of his own doing.
I don't believe that things happened as they are being presented. This is (ex-)Gizmodo we're talking about, people who have a long standing grudge with Apple.
In the middle of a 'major crisis' this guy finds time to type up a story, on a computer? He can still access work machines to submit? And then the hacker is kind enough to tell him what happened? And oddly, there is no mention of involving the police or the FBI?
This episode is either an inside job or a complete fabrication. My prediction is it will fall apart within the week, rather like Gizmodo's exclusive story based on the purchase of stolen prototype equipment.
Large amounts of personal data are collected by data brokers like Intelius, Spokeo and Whitepages - which makes this easier to pull off. It's fairly trivial to find answers to questions like "What's your DOB?" or "What's your billing address" by looking in one of these places. Most data brokers will have opt-out pages where you can request removal of your data - though they don't make it easy. There are also services that help with this: MyPrivacy (reputation.com/myprivacy) which I work on and Safe Shepherd (safesheperd.com).
We frequently see articles about well connected or influential people like reporters getting preferential support from large companies. This might be the dark side of special response.
Hopefully the article on Honan's experience will open some eyes and make everyone take the security of their personal accounts more seriously. The money in your bank is insured, your online presence is not, and there is a huge imbalance in how consumers address security for each. Some hackers don't want money or notoriety - they just want to watch the world burn.
I wonder if attacker will be caught and would end up in jail.
All password change requests like that must be carefully recorded and are probably very traceable.
Considering public nature of this exploit, Apple might put quite some effort to carefully investigate the incident.
The kid who hacked Sarah Palin's email got a year in jail. He was convicted of "the felony of anticipatory obstruction of justice by destruction of records and a misdemeanor of unauthorized access to a computer." [wikipedia]
The guy who hacked Honan is certainly guilty of the misdemeanor (which could wind you up in jail) and depending on what he erased and how they want to interpret his motives, he could be guilty of the same felony.
Its a good interesting piece but in this case could easily be that the employee in Mat's case didn't follow correct procedure or was not familiar with it (new employee?). Even if he knew the procedure for this cases there are all kinds of possible explanations: maybe the hacker pay him, maybe himself is the attacker, etc...
[+] [-] steve8918|13 years ago|reply
Depending on how valuable the data is to you, it might be easier to just pay off a CSR, and then fake a phone call where you pretend to convince that CSR that you are that person. The person will get fired, but probably won't go to jail unless they can prove collusion. And then they can either find a new job, or depending on which country the person is living in, they can live nicely off of the money for a while.
I'm not sure how to solve this problem, except by having highly paid and specially trained CSRs that do the account resetting, or by never allowing resetting ever, and if you forget your password and your security questions, you're SOL.
I have to admit this only makes me more leery of putting anything on cloud storage, although my own personal data is pretty useless to anyone, which is my only saving grace. Others who are more important might need to think twice about relying on these types of services.
[+] [-] thaumaturgy|13 years ago|reply
That's absurd.
This should make every iCloud user reeeeeaally nervous.
[+] [-] moe|13 years ago|reply
It's easily solved, banks and other institutions have been doing it for years.
The solution is trivial, too: Require physical ID.
In order to open a bank account you have to either show up in person, or provide equivalent proof (e.g. PostIdent).
Why should it be different with cloud-services whose stated goal is to silo all your life's data? Why are they excused on lax security?
[+] [-] atirip|13 years ago|reply
Easy. CSR has exactly the same screen as you do. With the same security questions as you have. In this case it seems, those questions were never asked. You design CSR frontend where they must themselves answer those questions before proceed. You may pay off that CSR, but she/he does not know answers to those questions so she/he can not do a thing.
If you forgot answer to those questions, alert is escalated, which needs two together CSR's + their supervisor to unlock your account + you must make Facetime call + whole process gets documented carefully.
What did I miss?
[+] [-] libria|13 years ago|reply
Although it's extremely inconvenient to wait 1 full day to get back in, forgetting a password should be a rare circumstance .
[+] [-] veeti|13 years ago|reply
[+] [-] yen223|13 years ago|reply
All they needed for verification was my home address.
I am also pretty leery of putting anything online.
[+] [-] gonehome|13 years ago|reply
In fact that entire blog post is pretty on point.
[+] [-] loceng|13 years ago|reply
[+] [-] switch007|13 years ago|reply
[+] [-] rogerchucker|13 years ago|reply
[+] [-] ThePherocity|13 years ago|reply
Anyway, to answer your initial point, two factor authentication helps with this problem, as you have to still have the security token to authenticate. And if the "Something you have" gets stolen, then you need a manager to work through it to get you set up again, and all resets are heavily monitored and audited.
[+] [-] tambourine_man|13 years ago|reply
Sensa
So, let's get this straight...a hacker "decides" to hack the account of a semi-high profile tech guy and then after committing several serious crimes like fraud that could land him in jail for an extended period of time repeatedly contacts the person he hacked when he must know that Apple will surely pursue this matter?
I smell a rat...
http://forums.macrumors.com/showthread.php?p=15405091#post15...
[+] [-] mapgrep|13 years ago|reply
[+] [-] akeck|13 years ago|reply
[+] [-] kristofferR|13 years ago|reply
[+] [-] _delirium|13 years ago|reply
APPLE SHALL USE REASONABLE SKILL AND DUE CARE IN PROVIDING THE SERVICE. THE FOLLOWING LIMITATIONS DO NOT APPLY IN RESPECT OF LOSS RESULTING FROM (A) APPLE'S FAILURE TO USE REASONABLE SKILL AND DUE CARE; (B) APPLE'S GROSS NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD; OR (C) DEATH OR PERSONAL INJURY. [Blanket disclaimer of liability in all other cases follows.]
I'd be curious if there is any good precedent on product liability for cloud services.
[+] [-] yalogin|13 years ago|reply
[+] [-] feefie|13 years ago|reply
[+] [-] Jyaif|13 years ago|reply
[+] [-] kristofferR|13 years ago|reply
[+] [-] yankcrime|13 years ago|reply
[+] [-] yesimahuman|13 years ago|reply
[+] [-] emergencynap|13 years ago|reply
I frequently want to quickly purchase a song on my iPhone. I also, frequently tell my friends my password so they can do the same. How many of you have typed your Apple ID password on your Apple TV with others watching? I wouldn't really ask my friends to exit the room to type in a super secure and long password with many characters groups (one that should be required for remote wipe functionality).
How many users keep their password secure knowing the main place they enter it is on their iOS device? For the many every day Apple users I know, they set their passwords to something easy so they don't have to hit their keyboard too many times when entering them.
If Apple, can separate the two authentication functions as they do with OS X and FileVault it would go a long way to preventing these types of rare but high impact events. Another suggestion would be to separate the remote wipe into two phases, erasing the keys and cleaning up the data. The initialization vectors (seed) do present a bit of a problem but I think the FileVault solution is more than adequate. If the encryption keys and the key escrow system is cleared remotely, that would leave me comfortable that my data is still secure. If we really trust our crypto algorithms, then erasing data and removing the encryption keys should really be no different. Users that do not have iOS data protection and OS X FileVault turned on, cannot be considered any level of secure anyway. And even with that data protection turned on, there are still many issues due to each app needing to implement security properly. It would be really great to see Apple improve their App Store to really audit the security of each application more than they do today.
Most of the work lies with Apple but it is a hard problem that will take time. I think Apple is going in the right direction by centralizing on iCloud rather than the PC as the central hub. This will give them a lot more flexibility and agility to move quicker and deliver secure results to the masses.
[+] [-] wd7|13 years ago|reply
[+] [-] greedo|13 years ago|reply
In the end, a company has to constantly weigh the cost of strong protections versus the risk, and what this exposure will cost them in terms of customer goodwill as well as any civil penalties that may arise.
[+] [-] shawndumas|13 years ago|reply
If the former it's not Apple's fault. If the latter; that's inexcusable.
[+] [-] riobard|13 years ago|reply
Usually they'll ask a few (2~3 is normal) questions like your full name, date of birth, address with zipcode, email address, etc. Notice the problem of these? All of them, I mean, ALL, are PUBLIC INFORMATION THAT ANYONE KNOWS SOMETHING ABOUT YOU WILL HAVE.
This is almost as silly as credit cards, where you are supposed to give the card number, card holder's name (not required most of the time), expire date, and the 3-digit PIN. Anyone who touches your card will have that information, once and forever. Yes, ANYONE, that includes your grocery store cashiers, your favorite bar tenders, your mobile phone billing representatives, etc. The list could go on very, very long.
And I'm totally amazed that both systems persist as a fallback plan in this digital world with countless attacking vectors.
[+] [-] sp332|13 years ago|reply
[+] [-] makomk|13 years ago|reply
[+] [-] libria|13 years ago|reply
Even if someone had properly identified themselves as Mat Honan, neither of these should be permitted.
[+] [-] rogerchucker|13 years ago|reply
[+] [-] MarkMc|13 years ago|reply
This would mean that the attacker would have to commit mail fraud, which (a) is quite difficult; and (b) carries heavy penalties in law.
[+] [-] ghshephard|13 years ago|reply
A better solution is require a notarized physical mail in the event of password changes for high-security accounts. Everything else just goes to your email account.
[+] [-] dinkumthinkum|13 years ago|reply
[+] [-] Zenst|13 years ago|reply
I helped a friend set-up a account with some provider the other day and one of the security question was the classic choice of mothers maiden name, favourite colour or favourite number. All of which are hardly secure as they can be obtained or educated-guessed a lot easier than most, but that’s another discussion. He wanted his favourite football player's name, so I told him pick mothers maiden name and use your favourite football players name. He knows this, and even if somebody who knew his mothers maiden name would still fail on that security check.
What could Apple do; And they will do something I suspect. Well they could add voice recognition to there support call system or/and add preregister calling numbers only (excluding device phone numbers already to cover losing said device) like your office phone. But they will step up-to the plate and hopefully turn this around, any good tech company will do that (even if it is going oops and we added password salts now - they evolve).
The whole aspect about all this that concerned me was how you can have what you perceive as a cloud backup that can then be taken away as well as your copy of the data. That is a lesson for the user more than Apple though. But will be reassuring to find out they have a backup system and maybe also concerning. That is a individuals perception of thought for them to ascertain for themselves, everybody is different.
I might also add that the chap who initial got hacked and subsequently also had his twitter accounts hacked said in a tweet that he is leaving the hacked tweets in the same way he does not go about removing scars on his body. Shows a insightful mindset and in many ways shows that pride was not a part of this and in that we would probably not of read about this had he been burdened by pride. Respect has to be noted there for him stepping up and going, this happened before he found out how it had been done and without knowing it was not an act of his own doing.
[+] [-] epo|13 years ago|reply
In the middle of a 'major crisis' this guy finds time to type up a story, on a computer? He can still access work machines to submit? And then the hacker is kind enough to tell him what happened? And oddly, there is no mention of involving the police or the FBI?
This episode is either an inside job or a complete fabrication. My prediction is it will fall apart within the week, rather like Gizmodo's exclusive story based on the purchase of stolen prototype equipment.
[+] [-] stephenhess|13 years ago|reply
[+] [-] jws|13 years ago|reply
[+] [-] jsmcallister|13 years ago|reply
[+] [-] dennisgorelik|13 years ago|reply
[+] [-] elmuchoprez|13 years ago|reply
The guy who hacked Honan is certainly guilty of the misdemeanor (which could wind you up in jail) and depending on what he erased and how they want to interpret his motives, he could be guilty of the same felony.
[+] [-] baldfat|13 years ago|reply
[+] [-] seagreen|13 years ago|reply
[+] [-] rogerchucker|13 years ago|reply
[+] [-] wklauss|13 years ago|reply