» Thu Aug 09, 2012 2:58 pm Calling up Amazon, the group was able to use some information they gathered doing research on the topic to reset his Amazon password. From there they got a few digits of his credit card information. Not too bad, right? Wrong. They took this information and gave it to Apple along with some other information they were able to aquire. Now they had access to his iCloud and iTunes account. They wiped his iPhone and iPad clean as well as trashed his Macbook.... but weren't done yet. Going off of this momentum they turned to attack his email. They had tons of personal information at this point as well as his personal email address he had tied to iCloud. Resetting his gmail password was a breeze. After this they went to attack his social network sites, since now they had access to his email, a simple password reset request was all they needed. Soon after they used the likes of his Twitter account to post homophobic and racist comments. Once they were done they started deleting everything they could to make it so Mat couldn't put his digital life together.
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.
Moreover, if your computers aren’t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don’t and never will understand, those deletions were just collateral damage. My MacBook data — including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life — weren’t the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.
Lulz.
The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.
Moreover, if your computers aren’t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don’t and never will understand, those deletions were just collateral damage. My MacBook data — including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life — weren’t the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.
Lulz.
Since then http://www.wired.com/gadgetlab/2012/08/amazon-changes-policy-wont-add-new-credit-cards-to-accounts-over-the-phone/
Apple has put a "suspension" on the same, but the policy is still in place.
There's nothing overly impressive about these attacks. There were a few things Mat could have done to mitigate the risk, but overall his practices were what could be called "good" and definitely "above average", but it wasn't enough.
The flaws? The Cloud and proprietary systems. Had it not been for all the hooks in his personal life and things like Apples "Walled Garden" the damage would have been much less. If there were viable alternatives on Apple's products to Find my iPhone and iCloud, the ability to carry out pinpointed attacks like these would be significantly weakened as the homogeneity needed to make such attacks viable wouldn't exist as there'd be competition. Apple, however, forbids such competition on their platforms and nothing offers the complete set of features iCloud and Find My iPhone do (at least not without a jailbroken iPhone).
Anyway, it's a good read and a nice eye-opener
(they wiped his Apple devices using Apple's cloud services and got into his gmail account because he used his apple mobileme email address as the password reset email address for his gmail)
