The Macrosite for News, Analysis and Opinion about the Future of the Internet
Kim Davis

Wired Hack Teaches Enterprise Lessons

Written by Kim Davis
8/8/2012 19 comments
no ratings
DISCUSS     Email This

It's bad enough for anyone to have their digital existence laid waste by a hack attack. Perhaps it's slightly worse if you're a tech journalist. Mat Honan, a senior writer at Wired magazine's Gadget Lab, has been painfully honest in laying out the details of an exploit which commandeered his Google and Twitter accounts and erased data from his iPhone, iPad, and MacBook.

"In many ways, this was all my fault," wrote Honan. "My accounts were daisy-chained together." Indeed, the victims of such attacks are legion, and many of us have been wondering this week just how vulnerable our accounts might be.

Honan does pass some blame around, however, and rightly so. Amazon and Apple's customer support portals were weakly defended, and the hackers broke in that way, apparently intent on seizing his Twitter account and using it to post offensive messages (the valued data on his Apple devices seems to have been just collateral damage).

Wired journalists retraced the attackers' steps. All the hackers needed was Honan's name, address, and email. Thus armed, they were able to add a new credit card to the target's Amazon account, and, by using the number of that credit card as validation, add an email address to the account. Send a password re-set request to that new account, and you're in. Although Amazon displays only partial credit card numbers, one of these was enough to persuade Apple to issue a temporary password.

No advanced tech skills were needed here, note, just some remarkably easy social engineering.

Apple and Amazon have been swift to close and lock these particular barn doors, or so they say: customers will no longer be able to make password changes or adjust account settings by phone. (Apple did not respond to my request for comment.)

In Honan's case, the misery has been personal. But what if the hackers had been targeting enterprise data? The story underlines how simple it is for bad actors to access corporate systems, wherever an employee has "daisy-chained" -- great term -- his or her vulnerable private accounts to internal networks (via shared passwords, for example) -- or has downloaded corporate data to his or her private device.

Social engineering is elementary in an age when people not only voluntarily post identifying details -- birthplace, birthday, address, phone numbers -- on social platforms like Facebook, but involuntarily find it appearing on sites like PeekYou and Spokeo. Armed with such basic information, and minimal ingenuity, it's facile for hackers to persuade weary call-center staff (and not just at Amazon and Apple) to provide the key that unlocks an account. Confidential data derived from that account can be used to unlock others.

Before you know it, the hackers are at the enterprise's digital front door, and it's wide open.

Solutions are available. Forced enterprise password changes, policies against "daisy-chaining," controls on downloading files, and, above all, awareness can all help. Nobody wants to be the IT manager who wakes up to find, as Honan put it, "my entire digital life... destroyed."

Related posts:

— Kim Davis Follow me on TwitterVisit my LinkedIn pageFriend me on Facebook, Community Editor, Internet Evolution
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Page 1 of 2   Next >
mtechie
IQ Crew
Tuesday August 14, 2012 11:05:23 PM
no ratings
It's not just you. I have a tough time remembering what my favorite movie was when I set up a particular account. I usually can't extract the name of my 4th grade elementary teacher from my password-laden brain.
mtechie
IQ Crew
Tuesday August 14, 2012 11:01:45 PM
no ratings
I like your examples of nonsense answers. I totally expected your mother's maiden name to be "Baked Alaska".
Kim Davis
Thinkernetter
Monday August 13, 2012 4:27:36 PM
no ratings

Google and other companies are urging users to tighten web security.

Kim Davis
Thinkernetter
Monday August 13, 2012 4:14:25 PM
no ratings

Is it just me who has trouble remembering the real answers?

Mitch Wagner
Thinkernetter
Monday August 13, 2012 12:44:12 PM
no ratings

Scott, the nonsense-answer technique is a good one, so long as you don't forget your nonsense answer. Even better is to use a different nonsense-answer at each site. 

smkinoshita
Thinkernetter
Friday August 10, 2012 10:25:41 PM
no ratings

One security counter-measure to the really dumb questions is to ensure the answer is not the truth.

For example, if one makes a note to say that the favourite movie is always "Cheeseburger and fries", or that your mother's maiden name is "Alaska", then this both stops the element of mood and social engineering... as long as you remember that your answers are nonsense.

The problem with this technique is when you don't use it universally and forget your own nonsense answer.  Which I have.  Thankfully I managed to remember my password before this was an issue.

But certainly we need to find something better than passwords to validate our identities.  

Mitch Wagner
Thinkernetter
Thursday August 9, 2012 5:34:51 PM
no ratings

One of the things I need to do is activate the authentication app on both my iPhone and Nexus 7 tablet, so if I lose the iPhone it's less likely I'm not locked out of my own account. 

I'm still not sure I'll stick with 2-factor authentication. It just seems like too much is riding on that single point of failure (the phone -- two points if I include the tablet). And I worry that somehow, if a hacker got access to my phone, they'd get access to my accounts, even though I'm not sure how that would work. 

Kim Davis
Thinkernetter
Thursday August 9, 2012 5:02:00 PM
no ratings

Rightly or wrongly, I worry more about what Google is doing with my data than what some outsider might do: but then I'm a pretty low level target. 

mhhfive
IQ Crew
Thursday August 9, 2012 4:40:04 PM
no ratings

I think the risk of locking myself out of my own Gmail account is higher than someone "hacking" into my account... so I'm probably not going to enable the 2-factor authentication... but I assume someday Google might force everyone to do it -- if only to prove that there are real people behind each gmail account....

Kim Davis
Thinkernetter
Thursday August 9, 2012 4:16:18 PM
no ratings

Exactly.  How many times have any of us failed to persuade a call center operative to help us, even when struggling with security questions?  They're trained (I guess) to be...supportive.  And we get angry when someone won't accept that we are who we say we are.

The whole situation needs a rethink.

Page 1 of 2   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Security Clan Editor's Blog
Kim Davis
Kim Davis   5/21/2013   13 comments
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
Kim Davis
Kim Davis   5/15/2013   13 comments
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
Kim Davis
Kim Davis   5/8/2013   14 comments
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Kim Davis
Kim Davis   5/1/2013   41 comments
If you were concerned about Twitter handing over your private data to the government, think again.
Kim Davis
Kim Davis   4/24/2013   18 comments
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
5
of
Mary E. Shacklett
Doing Social Networking Right
3|19|12   |   2:31   |   9 comments

Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
Second Shooter
A Glimpse of the New Internet!
3|16|12   |   2:07   |   8 comments

A combination of an announcement by DT and a Pew survey is showing us what the next-gen Internet may look like, and why. The demand for flexible services, created by rewired, iPhoned, social brains, combines with cloud and optical technology to create something totally new!
Ann Cavoukian
Privacy Is Everyone's Responsibility
11|1|11   |   4:01   |   17 comments

Ontario's privacy commissioner offers advice to businesses and users for protecting privacy online.
Beau Brendler
Skype Buy Should Come With Security Upgrade
5|12|11   |   1:19   |   3 comments

Skype's acquisition by Microsoft should speed up some long-needed security measures and help the company rise above the social networking risk level. Skype users faced an increasing onslaught of spammers and would-be fraudsters, while left with less-than-friendly means of setting privacy filters.
Second Shooter
Microsoft/Skype May Be a Game-Changer
5|11|11   |   2:05   |   8 comments

Microsoft's buy of Skype could revitalize Phone 7, give Microsoft a social, gaming, and collaborative strategy, and spell the end for old-fashioned telco voice. It will also certainly give Google a headache in its Voice, Chat, and even Android strategy!
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   2 comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
Sweeney Blog
Microsoft's Relevance in the Windows 7 Era
11|13|09   |   2:17   |   3 comments

The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
The Incredible Hultquist
Tweet Less, Get More Clicks
11|9|09   |   2:24   |   1 comment

Evidence shows that you can tweet too much. Sites and services like Twitter and Facebook are a good place to reach your audience, but think quality over quantity.
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   9 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   4 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Write a Strong Corporate Social Media Policy in a Wishy-Washy World
Mary E. Shacklett
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
CLICK FOR MORE
IT Helps Companies Find the Water
Matt Heusser
I've been writing about how the next evolution of the Internet might just be an advertising revolution, and how corporate IT can stay involved as the enablers and providers of the technologies that make this possible.
CLICK FOR MORE
Write a Strong Corporate Social Media Policy in a Wishy-Washy World
Mary E. Shacklett
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE